In theory, if all servers and connections to them were perfectly secure (impossible) and trustworthy (not true), neither one would be more "secure" than the other - mainly because the developer(s) of the website are in full control of the content of the site. Since Flash and the JS is served to clients, the server would have to serve malicious content to the end user in order for the end user to be affected.
Sadly, we don't live in a perfect world and JS tends to be more secure in the case of a server compromise - it is far more limited in its ability to affect the client. Many Flash vulnerabilities have the ability to execute arbitrary code, which is far more damaging than browser exploits, which often require multiple vulnerabilities to break out of the sandbox. This means that JS exploits often can only manipulate the client while the client is viewing that page and is usually unable to persist after it is closed, whereas Flash exploits can infect clients with RATs or other malware, which enables the attacker to have control over the client even after the browser is closed.
Another benefit of using JS is that the source is viewable by clients. Someone using the site may notice something suspicious in the source and notify the developers, allowing for the intrusion to be more easily detected. In the case of Flash, a malicious attacker can inject malicious code into an existing swf and since users cannot view the source without dissembling the swf, malicious code may go undetected for longer.
For an end-user, scenario 2:
JavaScript enabled, Flash not installed or enabled
would be much safer for the reasons above and given Adobe Flash's history of exploits. A search in the NVD reveals a total of 610 vulnerabilities, 330 of which are between January 2014 and December 2015. Most JS-related exploits tend to be browser specific, which reduces the number of clients affected, while Flash is meant to be cross-platform, which increases the number of affected clients (less nowadays, considering that many people have Flash disabled).
TLDR: Keep Flash off and use JS instead.