I work for a publisher and basically these ad networks say "you'll lose 50% of your revenue if you implement 'safe frames' in Google AdManager 360. We have some publishers who do it but basically no advertiser wants to run ads in a safeframe."
So you're saying the standard practice is to let the malicious ad buyers from your network run arbitrary javascript on our sites...
SafeFrames are fine for most ads that are isolated in a box on the page, and those that wait for user interaction before changing dimensions.
The main issue today is because advertisers want viewability tracking (which safeframe has a minimal but poor API for) and they want it with their own independent providers. Also prebid.js used for header bidding does not support safe frames.
Things will improve though because IntersectionObserver is now built into modern browsers and even works in cross-domain iframes. There's also the Open Measurement SDK[1] from the IAB to standardize viewability finally, and Prebid.js is also working on using SafeFrames.
So you're saying the standard practice is to let the malicious ad buyers from your network run arbitrary javascript on our sites...
"Yes that's what our publishers do..."