This is a very common misconception about Java and security.
Unless you are using Java Applets directly inside the browser as plugins (which neither Chrome, nor Firefox, nor Edge, nor Safari support anymore - see https://www.java.com/en/download/faq/jdk9_plugin.xml), there is absolutely no urgent requirement to switch to Java 9, which specifically deprecates the support for applets, anyway. yEd does not make use of the Applet mechanism.
Here is why:
-
The "well known security risks of Java" stem from the time when Applets where still in use and supported by browsers: At that time it was possible for users to "drive-by-download" applets that would then use the security issues in the Java Applet engine to break out of the browser process.
-
These security issues do not affect Java Applications that you explicitly download and install. These applications usually already have full access to your PC and do not "need" security issues to break out of their sandbox because they wouldn't even need to do that if they were malicious.
-
(At the time of this writing) Java 9 is so new and probably contains more bugs and security vulnerabilities than the latest Java 8. Java 8 will be supported for a while, so staying on Java 8 is not an extra risk.
-
yEd can be installed to use its own local Java environment which will only be used by yEd. Since yEd already has full access to your local users's resources; even a JDK that is full of security holes would not really make the situation worse.
So in short: Use Java 8 with a local JRE for yEd and enjoy. It's not in any way more insecure than Microsoft Word or Notepad. If you don't require Java elsewhere on your system, do not install it globally.