I'm having difficulty in figuring out why crossdomain.xml is a useful feature. It seems back to front to me. Why restrict flash (by default) from reading from publicly available services?
What's the point to prevent DDOS attacks from people downloading malicious flash software.
It doesn't seem to protect the flash users at all only third party websites, especially as that's circumventable with a proxy it seems to render the whole thing pointless.
Flash files execute on the users machine in a trusted environment. Without crossdomain files a swf could take a guess at internal services, anything behind a firewall, that the user has access to but a SWF should not. This is a major security risk. While there are other reasons for the policy this is by far the most important reason. So you are correct it is annoying that it is needed to access public api's but its better than it accessing private api's, imagine corporate directory services, just because the content is running on your machine.