is there a setting for vanadium to never remember history without opening an incognito tab every time?
Not that I'm aware of, but you can make an Incognito shortcut if you want.
Also, what are the best safe browsing settings? I see it is turned off by default. Is there a reason not to turn it on?
It doesn't work without Play services, but should work with it, that's why it's off by default since GrapheneOS doesn't ship with Play services (but a compatibility layer for it).
Enabling it or not is totally up to you. It works with a database of known-bad URLs either hosted locally and updated periodically (I think that's the API used by most browsers), or hosted directly by Google (in which case the application queries it directly by sending a POST request with the URL). Safe Browsing sometimes sends hashed URLs to Google so privacy is less of a concern, but you're still communicating with a party, which you may not want.
Enumerating badness isn't a flawless approach, however, so in practice Safe Browsing isn't a strong security layer. It can prevent some off-the-shelf phishing attempts, but not sophisticated attacks.