If at least one "security filter" has been selected for a profile, then all of them are applied. Consequently, you can end up with really messed up content showing up in the editor after the AJAX call to "ckeditor/xss".
In our case, we have the Messaging module installed, which provides a filter to convert HTML to plain text. We have only the "HTML filter" filter enabled for one profile, but because of this bug, the filter from Messaging also gets applied and so the content for any CKEditor field gets stripped of all HTML formatting.
So far as I know, this is limited to the D6 codeline.