This is only possible if you do not validate the incoming URL in the frame data packet. For example, Yoink no longer works in @paulcowgill’s example because I started checking.
By verifying this value you can block all cross-frame calls, allow specific origins, or allow any origin. Most frames should check the URL.
https://warpcast.com/horsefacts.eth/0x3ad31216