How do you decide that you are on the "same domain"?
Surely you do not believe everything a browser tells you. Domains (and ip addresses) are easily forged. If someone whats to target your site these will be minor inconveniences to get around. Besides which, it is not the domain of your WP site that gets passed, it is the visitor's credentials.
The 1.4.6 release has a new plugin for just such a situation. It allows other sites to request Zenphoto objects. Of course it will take some coding.
Furthermore, I see that if I include the check code but provide a w the image fails to cache. It only works with s.
Surely you do not think the code is so simplistic that it does not consider the request but would work on anything. What then would prevent the attacker from just including that code on his huge image requests?