Scenario: I've got a page which does an Ajax request and eval()s the response. I trust the response, because it's from our own servers (and simply contains a dictionary). But are there any possible issues I'm forgetting?

If it's static, then you have no more worry than you would with any other javascript file. If it's dynamically generated, just be sure to escape any string delimiters in user-supplied data.

proxies. Is what the client receiving actually from your server and not from something between them and you.

But a malicious proxy doesn't need to insert Javascript to get your browser to do naughty things, since it can just manipulate the upstream anyway. Not to mention inject Javascript into HTML pages as they come down.