On the web site that I'm responsible for at work, I'll go to the ends of the Earth to avoid an IFRAME. A client-side script to pull in content from a foreign site is slightly preferable, but still not good.
The thing is, I'm responsible for ensuring the security of my users. When retrieving IFRAME content from a foreign server, I'm surrendering all control to that foreign server, but my users don't know where it's coming from, nor how trustworthy they are.
The AJAX solution is better, because it's not taking raw HTML. But at a minimum, it's still a privacy exposure in that it reveals to the foreign server who my customers are, and what content they're interested in.
Of course the "do the right thing", wanting to protect my customers, is the main thing. But even if it were not, some of our customers have placed restrictions in our contract that prevent me from doing this. So when it does occur on our site, I need to have behavioral switches in our code to disable it for customers that won't allow it. And where it can be allowed, I need NDAs and indemnification from the foreign server to keep me and my customers safe.
My preferred solution is for you to give me a web service. I can call your service from our web servers, acting as a proxy for the user, and expecting back data as opposed to raw HTML. I can then embed that into the pages as I see fit, with a much greater feeling of safety.
Of course, your users may not be so exacting, or have so much to protect. But without knowing what content you'll be dealing with, who knows...