"Safe" is a relative term. You wouldn't have a projects directory on a production server, so that's not an issue, and a development machine inherently "unsafe" in the hands of authorized users.
You seem to be mixing 2 different issues, though. One of which is that you're apparently using the Tomcat Manager to deploy and the other of which is that your deployed webapp is located in an external directory.
Which actually doesn't make sense, since the Tomcat Manager can't do that. When you deploy using Tomcat Manager, it uploads a copy of your WAR into Tomcat's internal storage. It has to, since otherwise the Tomcat Manager couldn't deploy WARs that initially resided on a separate machine.
On the other hand, I myself run
test webapps directly from my project directory, but I don't use the Tomcat Manager to deploy them, I just install a Context in Tomcat that tells it that the WAR is located in my project directory. As for "safe", it's as safe as the working copy of the project itself is.