By the point you’re browsing a web page, you’re trusting the content provider and browser to do no harm. Script tags with remote hosts only end up in that page if the content provider puts it there and *rusts the remote host.

If you come up with a “solution” that allows for safe exchange of data, you’re providing for another use case… namely, exchanging data with an untrusted remote host. That’s certainly a valid use case, but it’s a different one that JSONP doesn’t claim to solve.

Note that even with a safe wire protocol, nothing stops the content provider from using eval() to run code from untrusted hosts, or to simply HTTP proxy to untrusted hosts — it’s up to the content provider. You’ve already trusted them and nothing can stop them from extending that trust to another party if they choose to.