RSnake provides some much needed insight into the AJAX craze.
"However, I'd like to point out, as I have before that really users should not consider AJAX to be another security risk. It is the same old risk that we have always faced, except there is more client side code that can be circumvented now. The more logic you create on the browser for parsing and security the more you must insure that your backend also protects you at the same time, since all client side security can be circumvented in one way or another"
Also linked is an article discussing 10 Ajax Security 'issues' along with RSnake's perspective.