It does if it's a pure proxy with no access control because I could say "Hey, Bryan load http://commons.wikimedia.org/w/api.php?tsproxy=~evil/evil.js ".. and you follow the link and evil js happily steals your session cookie and begins to replace every image with goatse.
Then I should point out that this very thing is currently possible with this link: http://commons.wikimedia.org/wiki/Eurotunnel?withJS=User:Dschwen/evil.js%26M...
Uhm, actually this wasn't supposed to work, but the security checks on the withJS thingie are a little flaky. I'll fix this in a minute.