Safer than running it via Boot Camp and safer than running it on a PC, but that's only because of the ease with which you can just obliterate the OS install and start over.
Might need to be taken with a small grain of salt since Microsoft was the funding source for the study, but they recently found even right now, XP is like 6X more likely to be hit with malware than Windows 8. Probably a lot of that has to do with newer versions of IE, with much improved security, don't run on XP.
You can read a little more on that here: http://www.theregister.co.uk/2013/10/31/security_intelligence_report_microsoft/
You really should try and gently encourage this client to get away from XP as quickly as they reasonably can. Same with anyone else you run across running XP. Despite the rose tinted glasses people look at it with now, XP was kind of a turd and it hasn't aged very well. No one remembers how for about the first two years with XP hardly a week went by when there wasn't some new remote exploit found that could be pulled off without any user interaction or all the teething issues with drivers, permissions, user accounts and the fact that the relatively modest skinning attempt on XP was more than integrated graphics circa 2002 could handle with acceptable performance levels. Microsoft learned a lot of very hard lessons with XP which are reflected in later versions of Windows, even if they aren't necessarily whiz-bang in your face features.
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic