I haven't completely read the full paper yet (it's pretty big), but in a brief scan, I can't actually find any definition they use for staying safe. They talk about 'protecting their security online' and 'to stay safe online', however I didn't spot anything more specific.

As you point out, there are a variety of attacks and big differences between e.g. leaking a password or getting a virus infection. But since their highlighted techniques cover both of these attacks (virus scanners, password best practices), you have to assume that they are relating to a whole range of attacks.

We did not provide a definition of what "staying safe online" means. As a result, some participants might have thought more of protecting online accounts, while others focussed on keeping their systems from getting compromised, etc. But coming from a non-technical user the question would be likely to be framed just like that: vague, because users don't know what the biggest threats are and what they should defend from first.