It's technically possible to have an iframe with no "src" (not loading from a 3rd party) but still embed html/css inside the frame for sandboxing purposes.

I believe the sandbox attribute would also block javascript / scripts, although not sure what cross browser support on that looks like.