I looked a bit into the code and so far my rough understanding is that this behaviour depends on:
- the value of the "forbidXHR" preference;
- whether the code making the XHR comes from a "special" scheme (such as "chrome:");
- whether the relevant locations (e.g. source and target) are whitelisted by the user.
Is there any way to have surrogate XHRs succeed in this situation?
Generally speaking, I want NoScript to distinguish "my" code from that of other people, and be able to place different levels of trust on them (some degree of trust for my code and complete distrust for other people's code). 
 All my surrogates are of the "no-script" kind (that is, "sources" is prefixed with "!").
 By "untrusted" I just mean not whitelisted by NoScript. I'm not talking about the "Mark as untrusted" feature of NoScript.
 If you are wondering now why don't I use something like Greasemonkey instead of NoScript surrogates, well, is because some of these scripts are supposed to run in an environment where NoScript is already part of the trusted code base, while Greasemonkey is not.