1. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a padlock icon in the address bar when visiting a secure site.
2. Another perennial weak point is Adobe Flash Player. Like Java, Flash is in well-deserved decline, but Flash content is still much more widespread than Java content on the Web. If you choose to install the Flash plugin, you can reduce your exposure to Flash by checking the box marked
Stop plug-ins to save power
in Advanced tab of the Safari preferences window, if it's not already checked. Consider also installing a Safari extension such as "ClickToFlash" or "ClickToPlugin." They will prevent Flash content from loading automatically, and will also cause non-Flash video to be substituted for Flash on YouTube and maybe some other sites. I've tested those extensions and found them safe, but you should always do your own research before deciding whether to trust any third-party software.