By default, Discourse does not allow users to insert most iframe elements into posts. This is controlled by the allowed iframes site setting. That setting accepts a list of src domains of iframes that are allowed to be added to posts.
There is no way to control which iframes can be added based on a user’s permissions though - there isn’t a staff allowed iframes setting.
For most cases, Discourse handles embedding external content with “oneboxes.” This allows users to insert links into a post. In some cases, Discourse then converts these links to iframes. For example, if a link to a Youtube video is added to its own line in the post editor, it’s converted to a video element that’s displayed in an iframe. There are a limited number of domains that Discourse handles in this way. For example, Vimeo, Youtube.
You can limit which domains get iframe oneboxes with the allowed onebox iframes site setting. The default value of this setting is *. If you want to limit this, click on the dropdown input that’s displayed below that setting. It lets you select specific domains from the list of domains that Discourse is configured to onebox as iframes.