I'm not the creator of redact, but it sounds like you're under the impression that the iframe src is redact.ws in which case I'd understand your concern.
My assumption is that the iframe src would be the local redact server, which would keep things as secure as the package the user installed (though there could be compromises at the network level I suppose)