Embedding an iframe without directly referencing a php file under wp-content

I am in the process of updating a plugin to avoid diectly referencing php files in the plugin’s directory. I have one place where I have an iframe that has a src URL of the form: /wp-content/plugins/pluginname/something.php. I know that this is really a security problem and want to fix it. Is there some sort of add_action() thing for this (like for ajax). Or should I really use add_action(‘wp_ajax_myiframe’, ‘my_iframe_body’) and use an URL like /wp-admin/admin_ajax.php?action=my_iframe_body for the iframe’s src attribute? There isn’t any actual JavaScript involved in *generating* the base contents of the iframe, although there will be buttons and things that will invoke JavaScript to update things later.