ajax in the strict sense (xmlhttprequest), indeed is generally considered to be limited to the same domain, but a lot (if not everything) depends on the way browsers implement the security model. one thing I noticed is that Firefox will issue a cross-domain request even with normal (non cross-domain) ajax, but it blocks the entire response from coming in (looks like it aborts the request, leading to http 206 response code). that means that, at least in firefox, "write calls" need to be protected against CSRF attacks even for normal ajax.
next to browser glitches like this, most browsers also support 'cross domain resource sharing' which can be used with xmlhttprequests as well. when done the correct way, cross domain ajax can be pretty safe.
but adoption of CORS seems to hampered by the success of 'jsonp'; dynamically inserted scripts that contain data in json wrapped in a callback parameter which are not limited by the same domain principel. doing this the safe way (i.e. preventing an attacker site to dynamically insert and execute script from the victim site for a logged on user for which the cookie would indeed be sent along) is somewhat more difficult (requiring a session-alike token in each request which is not in the cookie).
conclusion: read-operations using traditional ajax are safe, for writes & jsonp you'll have to do some extra work to be safe. if you really want to go cross domain, you should probably look into CORS as an alternative to jsonp.