Cookies have this problem, too (anyone from the same domain sees your cookies, and you can't really count on the cookie path). So does XMLHTTPRequest. Same origin[1] is pretty much the governing rule here; there wasn't any point in making pushState any more secure than the rest of the system.

1) http://en.wikipedia.org/wiki/Same_origin_policy

It very well could. Consider that "real use cases" includes every website in existence. Some of the have utterly horrifying URL schemes.

It's not just horrifying URL schemes, it would make the feature useless for any "web app" - take Grooveshark for example. A user can go from /artist/x/1234 to /song/x/1234 which seems pretty reasonable and not very horrifying.

As long as the script-file lives at / there's no problem..