WordPress does not natively use Ajax submits with Settings API, so there isn’t really best practice for it. I remember scbFramework having such option, but it was removed.
Essentially there is nothing inherently more insecure to such submit, you should treat form data as untrusted regardless of submit method and appropriately sanitize and validate it in PHP back end (any sanitization or validation client-side isjust convenience and cannot be relied on for security).