[Update 11:19pm PST - A number of folks in the IRC channel have noted that the problems described here are really only a certain class of applications. OpenSocial/Google Gadgets can be used in many scenarios that don't raise the issues described here.]
... we are working on a mechanism that will sign _IG_Fetch requests, allowing you to verify server-side that the request was not spoofed. (This) will certainly be in place by the public launch of the Orkut sandbox.
Its good to see that the folks at Google understand the issue and seem to be working on it. This is a big issue [for some types of applications] and one I hope they can address soon. But its not the end of the story, and I think there are a lot of issues around identity and authentication that need to get worked through (but we have good places to start: OpenID and OAuth). I hope that Google works through these issues in open manner (open sky, not just open door) and doesn't simply foist a solution on the community. Furthermore, experience tells me that there's NOT one best answer, and the user experience is going to be really tricky. Can you imagine an entire screenful of login boxes? YECH!