>This page could be my mail or bank account or anything that might contain private information.
They should not be able to read or inject into any URL that starts with https:// so your mail, bank, paypal etc should be OK.
That said, any tampering at all is a really sucky thing to do. If you can't switch ISP's I'd get a VPN subscription somewhere and send all of your traffic through it.
It might help to ensure your DNS is not provided by your ISP. You might also want to look into a "VPN".
> An iframe added to page by using a JS script that sourced from direct IP address
This can kind of page tampering happen if your connection to the website is not encrypted (http:// instead of https://)
For practical defense against this, you can install the HTTPS Everywhere browser extension: https://www.eff.org/https-everywhere which attempts to redirect you to secure versions of websites.
If there's no secure version of the site available, there's not much you can do to prevent this besides changing your ISP or using a VPN, however this just moves the trust issue to a different entity.