Thanks to Jim Hamm who writes, "Here are some comments about security in Safari from a member of a Mac forum I belong to. These are the settings he recommends. I’ve not tried or read about the last item in his list: FlashToHTML5. I’ll have to learn more about this, and why/if to use it.
Safari - Block Pop-Up Windows
Safari - Preferences - General - Open "safe" files after downloading (uncheck)
Safari - Preferences - Autofill - Using info from my Address Book card (uncheck)
Safari - Preferences - Autofill - User names and passwords (uncheck)
Safari - Preferences - Security - Fraudulent sites (check)
Safari - Preferences - Security - Location services (uncheck)
Safari - Preferences - Security - Web content (uncheck all for most security, but check as you need capability)
Safari - Preferences - Security - Accept cookies (check only "Only from sites I visit")
Safari - Preferences - Security - Ask before sending a non-secure form from a secure website (check)
Safari - Preferences - Extensions - AdBlock (add this extension to block most ad content)
Safari - Preferences - Extensions - FlashToHTML5 (add this extension to convert Flash to HTML5 when possible)
"The biggest setting to change is the Human Setting. Think about links before you click them. Hover over them to reveal their true destinations before clicking on them. Watch for non-secure (http://) links that ought to be secure (https://)--anything that deals with money, like banks, checkouts, etc. Look for the green secure/trusted indicator in the URL bar.
"Watch for links that include multiple 'http' strings -- these initially look like they go to the first domain listed, but actually go to the last one listed (http://www.trustedbank.com.http://evil-domain.net/blah/blah). DON'T click these. If a bank asks you for your account login information in email, via a link sent in email, it's fraudulent. If clicking a link causes a 'Enter your system administrator password' prompt, think long and hard before typing it in. I think you get the idea."