From what I know, the different options in iframe sandboxing can safely prevent a user from accessing information on your site.
Whitelisting both allow-scripts and allow-same-origin is probably the most dangerous thing to do, as it allows running javascript and access to the parent page. However, I have allowed only allow-scripts in my iframes.