You're right, but it's worth noting that the iframes used today are better at hiding the fact that they're iframes, it's usually hidden behind an API call from a library that you import, and that doesn't affect your browsing history, or at least not as bad as those huge forms used in the past that would essentially replace the page you're on for the sake of paying.
Today you can still use iframes but most gateways now provide a tokenization api that provides the form to produce the tokenized cc. Afaik tokenized cc isn't falling under PCI.
My big issues with iframes is the checkout process which inevitably has to make callbacks to your api with the results of the transaction. If you're behind any sort of firewall (like most businesses are) you're in for a world of http pain.