As long as you're signed into Google, anyone who can make you load a web page can use CSRF to add a filter to your GMail account that forwards all your email somewhere else. It doesn't even help if you use WebRunner to run GMail as a separate application: because of Google's single sign-on across all its products, you're likely to be signed in to another Google product using your main browser, so the exploit will still work against GMail.
There was another (XSS) vulnerability discovered last week (and fixed). Also, an employee forwarding internal emails to GMail may have been the source of the recent MediaDefender leak, though that's not thought to have been a GMail vulnerability, rather he used the same password on a different site (or maybe he gave the password to a social networking site to fetch a list of his contacts ;-).
Of course, the big database of everyone's email communication (and other private information) needs to be secured from the inside as well, and I don't know if there's any way to do that completely.