MacWorld deconstructs the anti-phishing features in Safari 3.2.
Bottom line for security & web developers: It’s Google’s database, they’ve been doing this for 3 years, only hashes go over the network, locally cached. It’s good stuff.
Bottom line for privacy-interested people: If you hit a suspicious hash prefix, you ask Google’s servers for the full hash. In theory this is enough for Google to do some analytics. Certainly it doesn’t directly reveal what URLs you are really visiting. Apple’s privacy policy does not discuss any sending of data to anyone but the site you visit (i.e. it is mute on this sort of feature). It further does not bind Google from misuse of anything they could collect. Mozilla’s privacy policy covers these bases.
Bottom line for anyone who has better things to worry about: It’s fine, leave the checkbox on, and if it ever warns you that you may be visiting a malicious website, stop and listen to it. You are probably not where you intend to be. Scott can explain.