Just a helpful reality check (since it's easy to lose perspective when you're outraged): Every site that uses JSONP is deliberately exploiting a loophole to circumvent privacy controls.
Last time I checked, JSONP is a workaround for Single-Origin-Policy. If a site A uses JSONP to consume service from B, then A bets its money on B's good will. I don't see B can steal anything other than A's in-browser data.
