Fix iframe security and accessibility

[severo]

See copilot comments at #218 (review)

Partly worked in #219.

For security issues, copilot recommends:

        sandbox="allow-scripts allow-downloads"
        referrerPolicy="no-referrer"

but it breaks some functionality.

For example, the parquet table does not load if it cannot access local storage. Maybe it should gracefully handle this, but if so, we should coordinate the fix there, and the change here.