Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.
I can imagine malware that connects to an external server, which stores a large database of pre-created addresses.
And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.
There's also malware that
monitors 2.3 million Bitcoin addresses: thanks to the public blockchain it's easy to create a list of all addresses that are worth stealing, and include a couple million similar addresses in the malware.
Isn't it enough to check just the fist 4-5 and last 4-5 characters?
It's probably enough, but I prefer a higher degree of certainty than just "probably".