I deployed a cross domain policy file at sub1.mydomain.com that only allows access from sub2.mydomain.com. When I try to access sub1.mydomain.com from a SWF deployed at sub3.mydomain.com, sure enough, it doesn't work.
However, when I run a local SWF through my Flex bugger and try to access sub1.mydomain.com, there's no problem. It just works.
What domain is the SWF in the debugger using? If it is using file:/// it has different security privileges. You can change your project properties to deploy to and debug from a server.
It's using file://. I just find it a bit strange that a local application can so easily bypass a remote location's cross domain policy and do things like hijack an existing session.
When you run from file:// we use a special set of security rules (localTrusted sandbox) in order to simplify development setups for simple apps. The theory is that, if you have downloaded a SWF to your computer and run it from the local file system, you are trusting it.