Sandbox iframes to make them secure

Editing the JS code of code components requires a restrict access permission, so using non-sandboxed iframes for the various previews isn't a vulnerability, but sandboxing them would help add extra defense against some privilege escalation vectors, so switching the tag from Security to "Security improvements".

However, I'm still tagging this as a beta blocker as well, because we want early adopters able to run the beta in production, and this would help provide extra confidence for doing so.

Agreed!

I discussed this with @lauriii and we decided that people running beta1 in production can be judicious about to whom they give the permission. It would be nice to get this resolved early in the beta cycle but we don't have to block beta1 on it.

We're not targeting this for beta anymore. I'd still like to resolve it relatively soon after beta1, but the "stable blocker" tag plus Critical priority is enough to keep this on our radar for that.