Experts Say Ajax Not Inherently Insecure
Gah. I hate to keep posting things repeatedly but my thinking is fragmented today :)
I don't think it's similar to a FORM at all, you can get the user to access other sites that they wouldn't normally access and get a parseable response from that site (as I mentioned above). I plan on testing this out some more with a friend of mine to see if I can grab their modems information remotely.
If you're using AJAX in a legitimate fashion (eg, requesting information from the original server) then yeah, it is as simple as a FORM request (maybe some session verification with PHP) but this manner I just outlined completely defeats that.