I have set the headers with helmet on my website and included the following configuration to prevent clickjacking attacks:

helmet.frameguard({ action: 'deny' });

frameAncestors: [
  '\'self\'',
  'https://*.force.com',
  'https://*.my.salesforce.com'
]

When I check the headers using curl -I mysite.com, I can see that the x-frame-options header is set to DENY and the content-security-policy header has the frame-ancestors directive with the specified values:

x-frame-options: DENY
content-security-policy: frame-ancestors 'self' file: https://*.force.com https://*.my.salesforce.com

However, I noticed that if I create an index.html file on my local machine with an iframe that points to my website like this:

<html>
<head>
  <title>Clickjack test page</title>
</head>
<body>
  <iframe src="https://app.mysite.com/" width="900" height="800"></iframe>
</body>
</html>

My website still loads inside the iframe. This is not desirable behavior, and I want to prevent this from happening. Specifically, I want to prevent a page served with the file:// protocol from a local machine from being able to embed my website.
(I've noticed that the desired behavior is achieved when the embedding is attempted from a web server, indicating that the issue is specific to local files)

This Content-Security-Policy header looks like the culprit:

content-security-policy: frame-ancestors 'self' file: https://*.force.com https://*.my.salesforce.com

Notice that file: is there. That will allow file:// embedding.

Maybe you need to do a hard refresh? Maybe you need to re-deploy your server?

Looks like your problem was solved! Let me know if you need anything else.