But that is exactly the point: if the Jenkins instance is not anonymously viewable, then anonymous users would not normally be able to determine the status of any jobs—or even (without DISCOVER) their existence. So exposing this information via an UnprotectedRootAction without any additional access control, merely by installing this plugin, would constitute a security breach. If you want your build status to be seen by the world, why not make the job itself visible?
SSO should be irrelevant since the image is loaded from Jenkins, so it should not matter what if any authentication is applied to the embedding page.
If there is some use case for making selected build statuses anonymously obtainable without exposing other information about the job(s), then the plugin should define a new permission VIEW_STATUS and check that on the Job corresponding to a URL from the UnprotectedRootAction. (Returning a 404 if either there is no such job or that permission is denied, so as not to bypass DISCOVER.) That way an administrator could grant this permission to the anonymous user on all jobs, selected jobs, jobs in a certain folder, etc.