Cameron asked a great question today about the level of access a script hosted elsewhere might have when that script was called through an XSS attack. Is that allowed, he asked, since the script is not hosted on the hacked site?
There is a web security policy called same origin, which is supposed to help prevent these sorts of things. Basically, it prevents a web page from gaining access to data in another web page, unless they are on the same site.
Unfortunately it does not prevent a page at one site from embedding script it hosts in a page at a different site. This is makes XSS attacks just a bit easier, and is a tradeoff we accept for all the non-malicious benefits of embedding.
We also mentioned the dangers of html5 and native client in this context. You can learn more about this in OWASP's video on html5.