Penetration testing proof of concept XSS code. We commonly use alert to demo that it is executing code. Certainly there are other options, it’s just a common tool for many testers.
True, however when people pop an alert from a cross origin iframe for a bug bounty, 80% of the time they're pretending to be on the parent origin when they aren't and get sad when their report is rejected.