In the blog post Unifying Atlassian Connect and Forge: An Update - Atlassian Developer Blog
In State 2, the app gains important security benefits. First, an app developer can limit the types of data the app can access using scopes, bringing the app in line with the principle of least privilege. Second, replacing Connect remote iframes protects app users from common remote iframe browser-based vulnerabilities and domain hijacking.
Because these security improvements are high priority, we will be requiring all Connect apps to reach State 2, and in the future, Connect will stop supporting JWT auth and remote iframes. While these services are not being deprecated yet and we are still far out from making this a hard requirement, we encourage app developers to start planning to make these changes as soon as development is unblocked, which we estimate will happen towards the end of 2022.
So this implies that Connect remote iframes are not as secure as Forge UI. There was already a lot of negative feedback about this blog post in CDAC 22 Sep 2021 - Unifying Atlassian Connect and Forge: An Update - #60 by jhazelwood