Not sure its called like that, but the thing in the browser doesn't seem safe.
Unity enabled running C# and in C# you can easily break execution into C++ execution which can do pretty much everything it wants under the browsers permissions.
It is save ;) You can't use reflection in webplayer and a lot of other things. Sockets can be used but you can't open a listen socket. Even sockets are domain restricted. Native code plugins also won't work in Unity-webplayer. They have done what they can to make it save. So far I haven't heard of any exploits of the webplayer.
Just take a look at the Security Sandbox page