Is this safe for providing JSONP?

Answer 1

No, if you intend to limit the JSONP to select domains. Specify the encoding too or people who shouldn't be able to access the JSON can possibly do UTF-7 injection attacks. Use this header instead:

header('Content-Type: application/json; charset=utf-8');

If it's supposed to be a public JSONP service, then yes it is safe, and also use application/javascript instead of application/json.