Interesting posts and comments on json and security in browsers: robubu and resig. Boils down to: "browser security pretty much sucks no matter what" and "if your json parser relies on eval(), you are a fool, no matter how fast it is".
Approach 2 and 3 should, simply, NEVER, EVER, EVER be used. There are plenty of libraries available today to parse JSON data structures, and none of them will EVER, EVER be able to read the whacked out Approach 2 and 3 styles. EVER.JSON is data. There is no way any bit of it should ever be treated as code. Some day browsers will become real platforms for applications and we will laugh at all this.
Data, baby, data!
That seems a long way off.