Unfortunately, I've been unable to get the giscus iframe to work when the Cross-Origin-Embedder-Policy (COEP) response header is present on my site. As you would expect with this header, it blocks cross-origin embeds. Even the “less secure” credentialless directive doesn't work.

It's perfectly fine to leave this header out presently, as not all modern browsers support it, (looking at you Safari).
But I'm guessing once this header is fully supported and more well-known, this will likely become an increasingly problematic issue for all apps that work by embedding iframes.

From what I understand about this header, I believe you need to add the:
Cross-Origin-Resource-Policy: cross-origin to the giscus.app server to enable COEP, but it would require some testing, as I wouldn't want it to unintentionally break current implementations.

An excellent explainer on Anonymous iframes can be found here, that may be useful.