Kind of, in that embedding anything from a site you can’t trust is inherently risky, but I’d say it’s not actually that bad, for two reasons:
iframes are much better sandboxed than they once were, and are much safer now than their reputation suggests
you probably wouldn’t be embedding from any old instance; I assume you could embed from an instance you use and trust as long as the post is federated to it
Kind of, in that embedding anything from a site you can’t trust is inherently risky, but I’d say it’s not actually that bad, for two reasons: