... if a bad actor is able to run javascript on your page
That's exactly the point one want to avoid. Iframes allow third party sides including script to be part of the visible page without having access to the parts of the page outside the iframes served by this specific third party. This is much more safe than embedding a third party HTML (for the form) and script (for form control, like input checks) directly into the main page.