I figured out how to code AMP in Observable, using the iframe srcdoc attribute 
By the way, it’s a nested iframe, and nested iframes have the protection of their parent iframes. As security goes, Observable works a lot like CodePen, which also supports iframes. The only challenge might be communicating it to users. The UI does a good job of that, but unlike CodePen, iframes are interspersed with Observable’s UI.