You can also able to enable it on a per-site basis by clicking on the icon (info, or padlock) to the left of the URL in the address bar, which might be easier for some users:
It seems like the Global Default is still to Ask the user. Perhaps it's not asking the users if the first time they encounter it is inside an iframe? This change originally happened back in December 2016, I haven't seen anything about an outright Block by default since then.
We were planning an overhaul of file and image uploads to support going direct to a CDN (e.g. S3) from the client, in addition to uploading to the server's file system (the current behaviour). Looks like we might just need to expedite a fix for the latter. The former we already have an S3 upload plugin, but that functionality will be unified when it lands in Core.