It turns out my suspicions were correct.
Jeremiah Grossman, chief security officer of WhiteHat Security, has released a proof of concept showing how AutoFill can be used to grab the name, work place, city, state, and email address of a visitor to a web page. No user action is required beyond navigating to the malicious page.
The exploit assumes that the 'Me' card in the user's Address Book is populated with real data, but that is common practice.
Grossmann notes that his exploit does not work with fields that start with a digit, so phone numbers and street addresses cannot be obtained this way.
In the blog entry that disclosed the vulnerability, Grossmann notes that he reported the issue to Apple a little over a month ago, but despite a follow-up email had received no response other than an automated reply to his original notification.
See page 2 to find out how to protect yourself against the vulnerability.
To do that, choose Preferences from the Safari menu, click the AutoFill tab, and make sure the three boxes aren't ticked.