Update! I recently learned about the Intersection Observer API in browsers designed to help solve the clickjacking problem:
Here is a great video about it:
Basically you are able to register a callback that is supported in all major browsers which will tell you if your iframe is being obscured in some way in the parent site. You can use this to safely enable / disable interactivity in your website when it is embedded in another site.
This is relevant if you build a notebook “application” which has user interactivity like signing-in or accessing secure content, buying things, etc. You want to allow your notebook to be embedded like with the observablehq embed API but to be safe you would have to prevent which domains are allowed to embed your notebook using x-frame options header or checking ancestor origin from the iframe.
I haven’t messed around with this API myself but came across and wanted to flag it here for those interested (@tomlarkworthy).