Given that eww (the latest Emacs web browser) is written in elisp, it's safe from buffer overflows and such, which are the most common form of vulnerability in software written in C. The actual parsing code uses libxml, which isn't elisp, but is one of the most widely-deployed parsers around.

Obviously there's no such thing as perfect security, but I would guess it's way more difficult to exploit than your conventional browsers.