After playing around with this a bit more, I may have answered my own question. On my Mavericks Mac, the skp:callback from TIG.remote fails with the now familiar error message if the call to allow_actions_from_host is omitted or invoked with a bad argument when the WebDialog is set up by Ruby (which is what Chris said before, I just didn't understand).
So, the concern isn't about executing an action on a remote host, it is about preventing skp: callbacks when the WebDialog contents were loaded from a remote host and might be malicious. Restricting the callbacks to pages from only trusted domains registered with this method then makes sense.
Which, of course, doesn't answer the question of why this method is ignored on most OS's and suddenly started working in Mavericks! But that will have to be answered by the Trimble SketchUp engineers, since the rest of us have no insight as to how this part of WebDialog is implemented.
As a note to the Trimble engineers: it would have been a lot easier for us outsiders to track this down if the error message was clearer. The message reports the full URL of the callback that it doesn't like (which is why we see the skp:callback@ part), and calls it an "Invalid URL" whereas it is actually a prohibited callback from a page that wasn't vetted by the Ruby code.