On the privacy front, try BetterPrivacy (never touch it after first time config) to flush all local Flash storage on browser start+stop. (You can of course whitelist LSOs from your bank or whatever.) Additionally, try CookieMonster in whitelist-only mode. It's just like NoScript, but for cookies so you can permanently allow all the sites she logs into, and temp allow any random page with a form.
Even just trying some extra plugins or stronger security settings will help everyone think more about security as they're learning more about security.