I think you are confusing Create rich link previews with Onebox with embedding an <iframe> directly.
Creating a onebox requires the website to be supported internally by Discourse.
You still can post manually any <iframe> as long the source is whitelisted (see my answer above).
In both ways, you have full control over what to allow.
I hope that helps! 