What is being proposed in this thread is to put a crossdomain file on a local proxy to eliminate the security for *all* domains, not just the chumby itself. I don't have any particular issue with adding a crossdomain to access HTTP services hosted on the chumby, although I would restrict it to services that don't supply information that should probably be kept secure - the web server in the chumby, for instance, reports some network information that could be useful to a malicious hacker, such as the ESSID of the access point currently configured (even if it doesn't beacon).
For instance, the HTTP daemon that presents the iPod has a crossdomain response.
To the general issue, however....
The important difference between a web page showing ads and a Flash movie is that a Flash movie is basically an application.
Imagine that every web page could include an untrusted application that would download and run on your machine, get access to your files and the rest of your network and upload the data.
I hope it's obvious to everyone that that would be bad.
The problems with universally bypassing crossdomain on the chumby device itself is that the the drop in security would apply even to your own network - a widget would be able to scan through IPs behind your firewall, and upload any information it discovered to any external server. No company with half a brain would allow a chumby to run on their networks, and I probably wouldn't even run it on my own home network.
We didn't come up with this security model, Adobe did, and their reasoning is pretty sound from a security standpoint. Yes, it's inconvenient sometimes, but security often is, and Microsoft's abysmal track record has shown over and over again that convenience over security is bad policy. Both Java applets, and Javascript in a webpage have similar, but not identical, security models.
If we did what you're proposing, which is, essentially a mechanism to spoof, what's to stop people from specifying the runtime domain as 192.168.x.x, 172.22.1.x, or 10.x.x.x and having free reign to wander around behind the firewall?
Incidentally, the crossdomain issue does not apply to images - a widget can show a comic from xkcd without security barriers.