There have been many proposals to enhance the security of JSONP communications - some of which fail to understand the point.
As things stand now, when one makes a JSONP request to some provider, he has to trust the provider to actually return some JSON data wrapped in a callback. Well, actually it is enough to trust the provider to wrap anything into a desired callback: we can use JSON.parse to be sure that anything is valid JSON. In any case, there is nothing stopping the provider to simply ignore the callback and return a malicious script.
The only way to make the mechanism secure is to add some enhancement on the client. The client should not blindly insert a script, but rather parse it before allowing it. This is, in essence, what many proposals advocate, but of course this requires some collaboration from the browser vendors. So we come to my question
Is there any concrete proposal from some browser vendor to implement such a mechanism?
Using cross-domain XHR requests in browsers that have CORS support will probably be what eventually solves that problem. Bringing the response in through XHR instead of script injection prevents unwanted code execution, and (as you mentioned) JSON.parse() can then be used to interpret/validate the JSON response.