[cirno]

Yes, and it bothers me a lot, even if it's in an iframe, that it has my real name from my Gmail account inside the unrelated third party pages. I do not trust Javascript iframe policies from preventing the host sites of exfiltrating my name from the Google signin frame. Javascript and browser exploits have a long history.

This uBlock Origin rule blocks the popups at least:

##iframe[src*="accounts.google.com/gsi"]

[coddle-hark]

If there was a bug that let websites read from unrelated iframes then they could just open the iframes themselves.

[cirno]

X-Frame-Options and cookie access rules would help protect against that a layer beneath Javascript. I get your point that ultimately any security breach can escalate to full-on compromise of all personal data. I still find it playing with fire to have completely unrelated sites having my name inside an iframe.