My question is how safe is this?
To make it safe, Django needs to NOT return any data concerning the view until Django does a BACKEND check on the permissions. Because on client side a malicious user can use flip that boolean to True simply using the browser's JS console.
So basically, the client side check should be LIMITED to simply altering the user interfaces (e.g. hide links to resources the user doesn't have permission to access). But when the time comes for the Django server to return data to a user, the Django view needs to do the permissions check on its own.
Are there any better ways of doing this without the use of Django's templates?
Yes, you can make AngularJS fetch the user profile with the permissions from a REST API. It gives you better organization than padding the Django template's HTML with JSON data.
Personally what I do is, once a user is logged in, AngularJS fetched the user profile, e.g. first_name, last_name etc and along with it I attach a field called "permissions" and instead of booleans, I just pass the names of permissions the user has.
profile.permissions = ['view_app1', 'view_app2', 'create_model_1', ...]
Because it's less data sent over HTTP vs sending all permissions with lots of x=False fields in them