Currently there's no option to restrict the outgoing connections via the iframe macro.
Have a similar function to Allowlist on Confluence DC. It should be safe to allow the domains and IP addresses by default from Atlassian. Otherwise, Confluence should provide an option for the admin to disable the iframe macro.
None. Consider adding yourself as a watcher to be kept informed as to the state of this feature request moving forward. With that way, if our development team updates the ticket, you'll be notified via email.