i suppose it depends how it's done. i was thinking that the cached page would contain script which was executed in "google.com"'s context (assuming the cache was under .google.com) - which to me is an xss attack.
on the other hand, the latest IE cross-zone trust flaw (for example) isn't an xss attack by itself, although it may be used as the payload of one.
Oh, sorry - That would be party #2 of 5 that evening (plus houseguests). I knew I wasn't going to be able to make it so I didn't follow up.
erm, I don't seem to have the email (or I'm not finding it, at least: could you give me a subject, from, or message-id? I'd like to verify that my mail system isn't dropping stuff), but I do remember seeing the info. This is Saturday, right?
Plus I bet Google doesn't want "google.com" showing up in referer logs for all those images that are "remote loaded" from other people's sites... the webmasters might get pissed. They still could, but it's not so obvious, being an IP address?
I've always assumed it was to stop the pages screwing with the cookies attached to google.com, and other such things which have a similar domain-tied security model. I guess that's what Kate and Brad were saying, though, so I guess I lose. :)