Yes, that's what it does. Check Firefox. First (unescaped) sample was my sanity check, yes, it alerts from <iframe>.

It work in Chrome on

    div.innerHTML = sanitized

but not on

    iframe.srcdoc = sanitized
    iframe.src = `data:text/html;charset=UTF-8,${sanitized}`

I am rewriting document so it is possible to check different methods.