The SOP is definitely not fool-proof:
To write a mash-up, you will typically need to perform AJAX calls to remote servers (client-side mashing). For example, you could write a web application to show results from allrecipes.com on a map from maps.google.com. In this case, you will need AJAX calls to allrecipes.com and maps.google.com. The SOP specifically prevents this, but there are ways around the SOP. The best way available today is probably JSONP.