Is Safari 17.6 still safe to use in 2025?

They claim that zero-days and drive-bys don't require any manual download/installations, ...

Those claims are technically correct. If taken by themselves and removed from remaining context, they are factually true, however, using such a premise to justify outdated Safari versions are somehow "insecure" and therefore no longer safe to use lacks logical justification. Without citing specific examples of how flaws in an "old" Safari version might be exploited to leverage some previously unseen flaw in its code many years after its release, the claims fall flat.

Apple's fundamental approach to such theoretical attacks is based on the premise that Mac malware is not the product of spontaneous generation. It has to arise from somewhere. That source can be anything from the outside world granted access to your equipment, and a browser is only one such threat vector. The first line of defense is you. It is impossible for anyone to install anything on a Mac unless an authorized user of that Mac explicitly permits it — or — that theoretical someone has physical, hands-on access to the Mac, which opens up a wide variety of potential exploits that go beyond the scope of this subject. That explicit permission extends even to Apple's software updates, since Apple is the sole source of them. Whatever is installed on your Mac is installed because you wanted it installed — and there are limitations to that which I'll explain presently.

The next line of defense is Apple's Gatekeeper. Excerpt, which they italicize for emphasis and I boldfaced to address your specific concern:

"... all software in macOS is checked for known malicious content the first time it’s opened, regardless of how it arrived on the Mac."

That means Safari, direct downloads using curl or some cryptic Terminal command neophyte users might be convinced into typing in themselves, a USB drive you plug into the Mac, a malicious device on your local network (which would also require your permission), an AppleScript that does the same thing... anything. Regardless of how it arrived on the Mac.

The next line of defense is XProtect, for which Apple pushes approximately daily updates to check for and invalidate malware that may have been downloaded and installed, even if its installation occurred in the distant past. XProtect operates independently of Safari or any other app or process that might access the Internet, and its definitions are updated even for Macs a decade and a half old. I just checked; the last one was issued yesterday — for a Mac that has been out of production since 2008. Those Macs are functionally obsolete yet Apple still protects them. For free.

The next line of defense (are you getting tired yet?) is SIP which a user can disable (but shouldn't) that blocks alteration of certain protected areas of the system even if the user explicitly authorized such alteration. Only Apple's software updates and apps obtained from the App Store can alter those areas.

The next line of defense (But wait! There's more!) is the fact macOS itself now exists in a signed, cryptographically sealed read only container completely inaccessible to the user. It's been that way since Catalina, and previously on iOS devices. macOS updates and upgrades directly from Apple's servers supposedly deep in some underground bunker are allowed access, but nothing more.

Part 2 of this longwinded reply follows next.