Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone's plugin.
That's a good habit; I do it myself.
I'm not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.
iFrames load html and javascript; neither one has access to underlying file systems and can't execute code outside of the browser.
I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.
If you're concerned with security to this degree, don't run a CMS. There will always be security issues with a complex web app like WordPress and anything similar out there. Run a site with plain html or basic php. I've had clients who wanted to stick to plain html or simple php for those reasons.
But half of your security is your knowledge to secure your own server, unrelated to any http, ftp or other services enabled.