Yes, except some pages are designed to be embedded (like the Google login widget in the linked article), and those may still be vulnerable to clickjacking. If your page isn’t explicitly designed to be embedded then at least SAMEORIGIN is basically a must. In fact most run of the mill security checkers would warn you if you don’t prevent cross origin iframe embedding.