You can scan for scripts related with browser.tabs.executeScript for that. I don’t think this is relevant with the iframe issue.
I don’t think this is true. The default content security policy will block all 3rd party scripts that are loaded into an extension iframe.
This is the basic logic: iframe[sandbox="allow-scripts allow-same-origin"] is no more open than a normal iframe. If iframe is considered safe enough and is generally allowed, there is no point to (generally) disallow iframe[sandbox="allow-scripts allow-same-origin"].
I do can workaround by replacing iframe[sandbox="allow-scripts allow-same-origin"] with a normal iframe, it’s just stupid and imperformant to block forms using more complicated scripts than a simple sandboxed iframe without the “allow-forms” value. And actually I have done this revision but the re-submission is still halted for more than 2 weeks—you don’t have a mechanism to review a re-submission together with the previous submission with the same reviewer?