How Secure is SAJA?
SAJA has two levels of security that you should be aware of. The first I call "function" level security, meaning that any functions you add to Saja's special ajax-callable files will be protected from the outside world. Only someone who has first visited your site will have the ability to call your server-side functions.
SAJA optionally uses RC4 encryption for the actual data that was provided by the end-user. RC4 is considered very secure, especially for infrequent small bursts of data. RC4 is a symmetric algorythm, meaning that the same method is used to decrypt as to encrypt the data. It also uses a shared public key, so the key used to encrypt is also the key used to decrypt.
SAJA should never be used as a replacement for HTTPS. It is meant only to provide a level of security that is better than standard HTTP. A determined hacker could potentially compromise any data sent by SAJA, although it would be much harder than intercepting non-encrypted data.
The function name is stored in a PHP session on your server. The function name is never sent to the end user, so only the owner of the session has the ability to execute that specific function.