onfocus events aren’t actually coming from the document inside of your iframe. They come from the window object of the iframe, saying that the iframe is losing or getting focus. As you noted, there is no way to get the input value from their page within the iframe without using CORS in some way.
It’s usually a really bad idea to try to circumvent a security measure. Think about what you are asking for. Replace the phrase “value of an input” with “stranger’s credit card number.” That’s what you’re asking the web to permit.
The way developers across domains get around these security measures is by collaborating with each other. This is what CORS is about. It still doesn’t allow direct JS hijacking across domains, but it allows two parties to say “We trust each other” enough to share each others’ resources. Then you can work out how to communicate between each other, like fetching data from each other’s servers that track events.
Rather than trying to hijack another site, consider other ways to solve the problem at hand. Password managers, for example, work at the browser extension level instead of the page level and have a different sandbox. But continue to consider if what you’re attempting is opening Pandora’s box for someone else.