If you are thinking of local directory traversal (src="jar:http://kaioa.com/b/0907/test.jar!../../somefile) then I think you are underestimating browser coders. Introducing that security issue would require a dedicated effort.
no, i was thinking that in certain scenarios where it might be possible to control the name of the file being shown, using jar:http:// could do a remote request and possibly expose some information.