A working and better way would be to write to the IFRAME via JS:
<div id="target"></div>
<script>
document.getElementById("target").innerHTML = "<iframe id=\"my-frame\" src=\"about:blank\"></iframe>";
var frame = document.getElementById("my-frame");
var fdoc = frame.contentDocument;
fdoc.write("<!doctype html><head></head><body>Here is some content.</body></html>");
</script>
Please note that this will work in Firefox and Chrome, Internet Explorer will most likely prompt an ActiveX security popup that would need to be accepted by the user.
Using srcdoc
You don't need to (better said: you are not allowed to) to escape the HTML characters in srcdoc as this will tell the browser to render the characters "<" or ">" rather than interpreting them as begin and end of a tag. You will need to decode/unescape them before (I used Wladimir's answer from another SO to handle the decoding) and then make sure that you convert the quotes to single quotes. Also make sure that the response of the API returns proper HTML as what you posted in your comment is incomplete and the double quote sign is missing in the srcdoc tag.
function htmlDecode(input) {
var doc = new DOMParser().parseFromString(input, "text/html");
return doc.documentElement.textContent;
}
let div = document.getElementById("div");
let response = '<!DOCTYPE html>\n<html>\n <head>\n <script src="code.jquery.com/jquery-2.2.4.min.js" type="text/javascript"></script>\n<head><body>Some content.</body><html>';
div.innerHTML = "<iframe src=\"about:blank\" srcdoc=\"" + htmlDecode(response).replace(/"/g, "'") +"\"></iframe>";
<div id="div">
</div>
