A way to explicitly put content in a separate SecurityDomain would be a good thing.

I’ve definitely seen an object with weak reference enterFrame listeners go away when GC’d.  Maybe it doesn’t if it came from another SWF.  Hopefully, Grant or somebody filed a bug on that so it can be examined and fixed if it is a problem.

Having a way to punt something or forcibly shut it down would be a good thing too, but it might be harder than it sounds.  Maybe the player team will find a great way to deal with it, but one of the reasons AS3 runs so much faster than AS2 is that the VM verifies an entire method before running it, and it doesn’t check at each instruction in the method to see if references are still good.  AS2 spent time doing that check at each instruction, and you pay for it when at runtime.

IMHO, AS2 let you write a bunch of bad code and get away with it.  Excellent from a prototyping perspective, but not how I would want to develop large frameworks or applications.  I’m willing to put up with overhead of being careful to release references when I’m done with something, adding protocols to handshake between child swfs, etc. because then there are fewer mysterious behaviors.  Everything is more predictable.  For example, I probably wouldn’t use weak reference enterframe listeners, I would probably use a strong reference listener and a REMOVED_FROM_STAGE handler to remove the listener so I know that if that object is skipped by GC, it won’t be eating CPU cycles and then when I go to debug it, it does get picked up by GC and the problem goes away.  Yes, it is more code, but I think it is better code.

Whenever you host third-party content, you either have to completely trust it or not.  The degree of non-trust you have for it dictates how open you are to betrayal.  If you don’t trust it at all, I’d put it in another player instance.  If I think I can trust it, or have time to figure out it is well-behaved, I’d put it in another securitydomain.  If I’m sure I can trust it, then I can load it into my securitydomain.  It’s one thing to meet a stranger and let him/her stay in a separate guest cottage and keep your doors locked, it is another to let them stay in your house and lock your bedroom, and yet another to let them stay in your bedroom.  And don’t get fooled by how nice and/or sexy they seem when you meet them J