This thread, along with others, also came up in my search results when I was trying to solve embedding a LiveView in an iframe.
So linking here to my current solution/conclusion:
After trying several things I gathered around the internet, I found the 3 minimal steps which limit security-related changes to the embeddable LiveViews only.
- Separate LiveView Socket.
- Separate Router Pipeline replacing
x-frame-options
HTTP header with a restrictive CSP. - Separate layout for embeddable LiveViews independent from session-based assigns.