I don't think web2py does anything by default, but you can add protection yourself by setting the X-Frame-Options and/or Content-Security-Policy headers in a model file:
response.headers['X-Frame-Options'] = "SAMEORIGIN"
response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"
Perhaps web2py should set the Content-Security-Policy header by default, maybe with an optional configurable whitelist of allowed ancestors.
Note, you can also configure your server (e.g., nginx, Apache) to automatically set the above headers.
You can also implement a Javascript defense, such as
this one.