What are the real physical risks of casual social media publishing?
When looking for actual physical risks, doxing and the results are most important.
There are examples of the hivemind of Reddit and 4chan where peoples exact locations, addresses, names and anything else might useful for actual physical attacks (or swatting) available online to which I will not link for obvious reasons.
The amount of information that can be found and linked is astonishing. Examples of 4channers whos lives got destroyed that way might help you discourage your family from posting this kind of information.
For example, I had experienced this in my practice:
When penetration testing one company, I got access to the system via a password recovery form, because the mail server provided options for security questions like "name of your dog" and "your school". This information was displayed in profiles in social networks.
Having many accounts makes it difficult for you to remember what personal information you have committed to each one. And this info could then be used, for password recovery to your Yahoo email, for example. And there could be emails with very important info, or that could be used to compromise your bank account or other things.
The "look at us on holiday" type of pictures are of interest because they can be viewed without arousing suspicion or notice, unlike keeping an eye on the house istelf. A single approach to a house that's expected to be empty could then lead to a break-in.
If the same or a linked account includes pictures of valuables (whether as the subject -- "look at my new TV" -- or in the background) then you start to look more like a target. If you are prone to posting these sorts of pictures in groups, especially local ones, it's a lot worse:
- Last month: Fred Bloggs posted in Mytown helpful advice "how do I wire in my new 100 inch smart TV".
- Yesterday: Fred Bloggs posted in Mytown helpful advice "where's best to eat dinner at the airport before a long flight tomorrow"
It's probably as well to assume that the address is known or at least findable with some effort if you make yourself look like a target.
You also open yourself and your contacts up to scams based around bad things happening to you, for example claiming you were robbed/injured on holiday and need money wired to you to pay hospital bills, or (as Stephan Branczyk suggested)
"Hey Grandma, I'm stuck in jail in Mexico for having bought a little bit of weed. Can you follow the directions below for wiring $400 to the jail for bail? I'd ask dad, but you know how he gets with his religious sermons. Please hurry! I have to go to the bathroom in front of everyone!" And to Grandma, this message makes perfect sense because she has been reading your wall, she knows you're supposed to be in Mexico for spring break (out of phone range). And she knows your dad is on an evangelical streak these days.
Something else to watch out for is (auto-)posting activities/check-ins that locate you away from home: I tend to wait until I get home from a trip away before manually uploading to Strava, for example, as I don't want to reveal that I'm away (neither do I want to make my activities private by default as sharing is the point of posting them). Strava then doesn't auto-post to facebook in my case. Similarly I don't post routine commutes.
Luckily mitigation isn't hard: restricting who can see photos posted while you're away (to people you really know), then posting the holiday album when you get home is a good start. Avoiding posting to a wide audience things that might make you a target is also a good plan (anyway boasting about how much money you've just spent is uncouth). The threat in most places is of course low.