The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output containing "<cross-domain-policy>" by replacing the string with "<NOT-cross-domain-policy>".
In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe addressed the vulnerability in Flash Player, and six years have since passed.
According to Adobe's website, by default Flash Player 10 only allows crossdomain.xml at the root ("master-only" meta-policy). So it may be possible simply to remove the check, which already fails to work on many PHP configurations (e.g. output_buffering = 4096 from the sample php.ini files). There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent.
Alternatively, ApiFormatJson could be changed to hex-escape < and > (by removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so on.