I think this solution could be technically feasible, but I'm not sure it would be a good approach. I've seen this in the past crash pretty hard trying to piece together a cohesive UI with a bunch of iframes. My suggestion would be to expose the data from the Mendix apps via APIs, which you could protect via OAuth with JWT, and consume via your React application. If you're concerned that you'll end up with a monolithic front-end, you could still break up your UI into a microfrontend, but there are pretty large tradeoffs. Microservices and Microfrontends are a terrible way to build apps unless your bottleneck is scaling your dev team.
To answer your question: Yes, Mendix will have a robust security.
Also when implemented as Microfrontends. Currently I am building an app which is using Mendix at the frontend and Flowable at the backend. Most, almost all, data is stored in the backend. Communication between front- and back-end is done via api's. Users only use the Mendix-app, Flowable does data-management and, of course, the workflow-logic, which is what Flowable does best.
As for using microfrontends, this implies that you use a lot of these little apps in your company. To do so, three things are important: standardization, standardization, standardization. Starting the build of a microapp should ideally be a one-click task, resulting in an app that does have ci/cd pipeline, a UI/UX-framework, working single-sign-on, connection to the React-backend, (if your company has an api-portal publishing the company's services:) connection to the company's api-portal, (a selection of) your companies masterdata. After that one click, the one-and-only concern of the developers of a microapp, should be the functionality of that app. So no adaptation to styling, no login-screen, no building of company-generic functions, just and only the microapp-functions.
Iframe has technical challenges regarding security and browsers and is not a popular technique to use. I would advice against it.