I agree that it's not secure enough to verify that the command came from your "real" address -- not because I imagine that ill-wishers will be refilling sg users' disposables with forged From: headers, though: after all, sg keeps the ill wishers from knowing the real address in the first place, and if they do know it somehow, it seems like a lot of evil-doing pain for not much evil-getting gain -- why not just send email to the real address?
...
Rather, the possibility of abuse (however implausible) will occur to tech journalists, who will then bash the feature as "insecure" -- I've read too many reviews (e.g.,
http://www.pcmag.com/article2/0,4149,12616,00.asp ,
http://www.pcmag.com/article2/0,4149,844094,00.asp - both are so "important" that they're the number two google hit for the search term "spamgourmet") that focus on sg auto-create as a security problem without a) mentioning prefixes and watchwords, which effectively seal it off, or b) admitting what a silly scenario it is to imagine spammers sitting around making up disposable email addresses, or that sg no-brainer users have been enjoying the service with absolutely no maintenance worries or "made up" addresses for *years* now... (and if one had listened to the journalists years ago, he or she would have missed out on all that transparent spam protection)
So, learning the harsh lessons of journalistic blockheadedness, I'd say the shallow *appearance* of security is, unfortunately, almost as important as actual security.