... if a bad actor is able to run javascript on your page

That's exactly the point one want to avoid. Iframes allow third party sides including script to be part of the visible page without having access to the parts of the page outside the iframes served by this specific third party. This is much more safe than embedding a third party HTML (for the form) and script (for form control, like input checks) directly into the main page.

... if a bad actor is able to run javascript on your page

That's exactly the point one want to avoid. Iframes allow third-party sides including script to be part of the visible page without having access to the parts of the page outside the iframes served by this specific third party. This is much more safe than embedding a third party HTML (for the form) and script (for form control, like input checks) directly into the main page.

If the iframe and main page come from a different origin, then the Same-Origin Policy will severely limit how they can interact with each other. Contrary to that a third-party script included with the script tag has full access to the DOM and could do everything a same-origin script tag could do.