so far there is no way to upload from flash (or even open local files from flash) to prevent malicious websites from stealing your data ..... and I hope that it will remain this way.
Since flash is a completely scripted environment, it would hardly be possible to keep file access under user control without some annoying procedures or without displaying a standard dialogue that the user can clearly distinguish from any interaction built into the movie. Something like the "always trust signed actuve cintrols from xxx website" dialog would perhaps do .... but it does not integrate into any site design
In contrast, browsers allow file up- and downloads but make them not scriptable - you can click the submit button (and on IE even the browse button) through scripts, but no script should be able to fill in the file name. IUnfortunately Microsoft browsers already have crossed that fine line in the past