It might be good to consider a feature policy on the main frame and also on iframes so that embedded sites can't just ask for access to the contacts address book if I as the site owner don't want to enable it.

For example on my blog I use 3rd party JS for comments and I am really not keen on given access to this API to that embed (or even if it runs in a 1st party context).