The same origin policy prohibits that a top-level domain can access cross-origin iFrames. A browser extension's content script runs in the context of the top-level page (https://developer.chrome.com/extensions/content_scripts) and thus cannot access an iFrame if it is cross-origin. Is it impossible that a password manager extension can fill in credentials into a cross-origin iFrame? How do password manager vendors handle this?
I guess this is only possible for password managers that are built in to the browser itself, but not for browser extensions.
From your link (https://developer.chrome.com/extensions/content_scripts):
all_frames
Optional. Defaults to false, meaning that only the top frame is matched.
If specified true, it will inject into all frames, even if the frame is not the topmost frame in the tab. Each frame is checked independently for URL requirements, it will not inject into child frames if the URL requirements are not met.