https://immersive-web.github.io/dom-overlays/#security reasonably calls out frame-src as applying to overlay content. It would be reasonable to note that the content itself might reasonably opt-out of such embedding via x-frame-options and/or frame-ancestor. It's likely the case that this is implicitly covered, but it's worth making it explicit that the overlay doesn't create a new top-level browsing context.
https://immersive-web.github.io/dom-overlays/#security reasonably calls out
frame-srcas applying to overlay content. It would be reasonable to note that the content itself might reasonably opt-out of such embedding viax-frame-optionsand/orframe-ancestor. It's likely the case that this is implicitly covered, but it's worth making it explicit that the overlay doesn't create a new top-level browsing context.