If she is using NoScript in a "medium" security manner -- meaning temporarily trust the parent domain of the site, but only whitelist external scripts (which means a fair amount of clicking "Temp allow akami / googleapis / disqus / some-image-service / etc") then that is MUCH better than Chome. Even NoScript in a "low" security method that temp-allows all scripts on a page but still blocks XSS, ClearClick, and anything else you choose like Java applets and iframes is still better than allowing all javascript and all plugins.
On the privacy front, try BetterPrivacy (never touch it after first time config) to flush all local Flash storage on browser start+stop. (You can of course whitelist LSOs from your bank or whatever.) Additionally, try CookieMonster in whitelist-only mode. It's just like NoScript, but for cookies so you can permanently allow all the sites she logs into, and temp allow any random page with a form.
Even just trying some extra plugins or stronger security settings will help everyone think more about security as they're learning more about security.