You're right that everyone should be using X-Frame-Options: DENY (for ancient browsers, plus CSP for newer browsers), but the author managed to pull it off on Google Docs. If even Google can't consistently stick to it, I feel like I should be worried.

All website operators should read this imo: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_...