Found the answer to my question here, explained nicely by Jeremy:
We can’t add allow-same-origin to our sandbox attribute, because it would allow cookies, localStorage and sessionStorage to be shared (or interfered with) across notebooks. They’re all hosted on observableusercontent.com.
That reasoning makes sense to me. I’d love to be able to use Observable with various Google APIs if the sandbox restrictions could be eased at some point in the future. 