If you have a "Share on Facebook" style service, for example, and make it available to mobile devices (which don't have the greatest security to begin with), it would be easier to forge a widget and upload to compromised websites to trap unwitting users. Because the logo source is the original homepage (I.E. it's an original resource location) the malicious individual doesn't now need to have a local copy of the logo.

This is why the original resource provider that hosts the logo would need to have a whitelist of which sites may allow their logo to be displayed. Of course, if a whitelisted site is compromised, then you still have the same problem.

It would also mean that there is the potential for a man-in-the middle attack by injecting code to the SVG file as it is delivered through the widget. Some browsers may allow scripting to be executed (since SVG is basically XML) if the script is within a CDATA block. If the original resouce location is compromised, then pretty much anyone using the direct link to the logo (be it widget, website or other consumer service) may end up receiving an unpleasant package with the logo.

This can be corrected by proper browser standards that don't allow execution of code within SVG files, so I hope in that regard it does catch on. Overall, it's a good idea that still has a few hiccups, but that's mostly due to browser/consumer security issues that need to be corrected.