With this same argument, could I not use the JavaScript I inject into the site (via XSS or whatever) to replace your entire iframe with a different iframe (hosted off my corrupt and evil server) that looked identical to yours? I don't need to access elements of the checkout form: the key problem with an iframe is that the user cannot tell what the URL of the iframe is to do basic verification of where the page is being served from.
