The title threw me for a loop. I was like "OHNOES!" I must secure my JSONs probably with some XMLs. Then I was like oh...

No, it's not. XSS is about injecting JavaScript in 3rd party sites to bypass the same origin policy.

This is about loading 3rd party JSON APIs on the attacker's site using other ways of bypassing SOP.

The first vulnerability (CSRF) isn't specific to JSON APIs, but the second one is.