This is far from new, but it is a problem. Ironically, the old school SOAP 1.1 way of doing things (with a header and a post) is immune from this.
Also, correct me if I'm wrong, but isn't JSON and the script tag way of calling things explicitly designed to DEFEAT the same origin policy? If the entire point of your data transfer method is to make it possible for anyone to request your data, you should only send data that everyone should be able to see =P