The only reason I can imagine that happening is if the iframe is wrapped in a check to see if the user is logged in. As @s_ha_dum said, WordPress login isn’t tied to directory permissions in any way, so just make sure that when the iframe is displayed in the theme it isn’t inside any is_user_logged_in() or current_user_can() checks. Just a hunch. It’s impossible to know for sure without code.
