Multiple simultaneous failures within a Protection Domain can lead to data unavailability (by simultaneous, I am referring to a second component failure (eg SDS), before an earlier component failure has been resolved (eg. before an automatically triggered mirror rebuild has completed; such scenarios should be rare because rebuilds are expected to complete quickly due to the ScaleIO wide-stripe layout)). However, to mitigate against this, you could use a host-based volume manager to mirror 2 (otherwise independent) ScaleIO volumes presented/mapped from 2 separate Protection Domains.
This type of host-based mirroring is generally the basis for implementing a failover cluster technology on top; several cluster technologies are listed in the ScaleIO support matrix.
Just an option to consider researching further.