The documentation at https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to-prevent-clickjacking lists a bunch of ways to help prevent clickjacking, by having the user confirm before performing potentially dangerous actions.
I was wondering if it would be just as safe to not render any UI on the page at all, until Office.initialize is called? Or is there a way for an attacker to iframe my add-in on their page and somehow replace the Office SDK with a malicious version?
Yes, a malicious attacker could attempt to emulate the add-in runtime. It is best to make sure the user confirms sensitive actions as described on the best practices. If your add-in requires the user to login, that is one way of getting user input that would help mitigate.