Many of these arguments are context dependent. If I embed an iframe, then ask a user to log in / provide credentials to whatever is loaded into that iframe, I can see the argument since it is difficult to for the user to verify the origin. However, for something "read only" like a dashboard, I really don't see the argument.