I read this paper that Bruce Schneier linked to regarding JavaScript hijacking. Seems to me that WordPress plugin developers who piggyback on WordPress's builtin security features shouldn't have anything to worry about.
Judging from what little buzz there was, I think that's probably true, but I'm interested in others' thoughts.