Correction, it is possible for any user to access the content of a cross-origin iframe in the devtools. In the console tab of chrome, it is possible to choose the context of the JavaScript execution. By choosing the IFrame as context, the user can act directly inside the window presented by the iframe and access all its content.