Is the Iframe calling an external site?

If it is, we solved this by getting our Mendix app to pass the data over to the external site using a server side REST or SOAP call. The remote app then stores this data and returns us a deeplink with a GUID. We use this deeplink as the Iframe src. When the external app receives a call to this URL it can access the data that was passed behind the scenes. The data does not appear in the users devtools, just the GUID which can be easily expired by the external app.

Hope this helps.

If you do not know how your security works, you are asking the wrong question. From your initial description, and your comment, it seems the security of your Mendix application is severely lacking: you have not configured security strictly enough and instead you rely on ‘security through obscurity’ – which is a bad practice.

It seems that data is accessible without the need to authenticate (i.e. you have enabled anonymous users and they can access data). If this is the case, anyone who know the URL of your application has access to all data such an anonymous user has access to: someone with enough Mendix experience can access the data, either through Mendix's REST API or through accessible microflows. You can test this by adding the SecurityInspector widget from the AppStore to a page an anonymous user has access to.

Based on this, I would advice you to review your security configuration and implement authentication. Your choice of authentication will dictate how you are able to secure your iFrame.