I’m not sure you understand the risks enough.
3rd party remote script can be executed from simple string without any “content_security_policy” issues - simply by using browser.tabs.executeScript API. This is how most malicious addons works and the future Manifest V3 will remove this feature for this reason.
If you are loading HTTP page into iframe, than the remote page will load and run 3rd party script!
The reviewers are skilled people so if you give them bad arguments than you sound suspicious. Note that all those malicious addons are made by developers like us so they may try to persuade them the same way you do! So reviewer needs to be able distinguish who is good and who is bad!
But I agree with you regarding sandbox="allow-scripts allow-same-origin", I don’t see a problem as long as the iframe cannot communicate with your addon somehow.