First of all, I hope your coworker will be safe. That being said, the average person doesn’t need to be too paranoid, ie it’s not like North Korea in China. Tor is not illegal in China but VPNs are, and Tor would probably be considered a VPN. Even though VPNs are illegal, nobody has been arrested for using one yet, its an open secret that basically anyone who has to conduct important business with foreigners will use them, and even the great firewall’s inventor has used one in public. I’d imagine this is because there are too many VPN users to police, and the same would probably apply to Tor. My guess is that unless your coworker is an IRL dissident or anti-CCP journalist, etc. the government won’t care about their Tor usage specifically. Lots of Chinese people learn about tiananmen, uigher genocide etc when going to the west and that probably won’t get you arrested (unless you speak out in public) too - that’s probably where the rumours come from. I don’t know how strict the border security is going into China currently, but all they have to do is convince them not to search their files, USB stick, etc. Even if border security seizes the installation, its not that big of a deal because they could just use a regular VPN then install Tor from there. So, the hiding in a coin trick another redditor suggested is probably overkill and might get you arrested for defacing currency.
Regarding the Chinese active targeting: AFAIK China doesn’t try to infect people with malware when using hidden services. However, downloading and running things from random onion sites isn’t advisable anyway, so they should be careful regardless. The only sort of “active censorship” China does on Tor is various shenanigans to block bridges that goes beyond simply scanning traffic - e.g. spamming the “give me bridges” button, using machine learning to find probable bridge connections and spoofing connections to the suspected bridge to find out, etc. Some research on this can be found here
Regarding special setup: the other commenters have linked to good resources, most of the info about what works and what doesn’t comes from word of mouth so your coworker might want to find Chinese citizens in chatrooms on the dark web to share strategies to bypass the GFW. Meek and Snowflake proxies (both built into Tor) sometimes work and sometimes don’t, and its important to update often so when they do work your coworker gets them working as well as possible. Various fancier bridges have been developed for the GFW, and some regular VPNs have been made specifically to bypass the GFW. Popular solutions include shadowsocks vpn, softether VPN, trojan-gfw, and many more. I haven’t researched this in a while, so your coworker might want to look into more esoteric methods. For now, this list is a great place to start. Additionally, if your coworker is willing to pay for server hosting in the West, they can simply host an SSH server and use that as a proxy - almost undetectable unless they block all SSH servers, which wouldn’t be good for businesses who need it.
Regarding getting hacked: Tor is just a browser, and you can’t get hacked from visiting a website, unless there is a vulnerability in the website or a 0 day in a browser. The first one allows stealing cookies and other related info, which isn’t relevant if you’re just reading/watching stuff and not logged in to anything important (obviously, big sites won’t have as many of these bugs, and if China discovers one it is more advantageous to do something other than hack YouTube viewers who watch “bad” videos, and if they do do that the problem isn’t Tor specific). The second problem (0 days in browsers) are what allow you to get your whole computer to be taken over, but these are super rare as browsers have multiple layers of security (including literally running code in a new virtual machine for each tab), you can get paid millions of dollars for finding one, they’re usually reserved for big targets like prominent journalists and not for mass surveillance (that would “spoil” the 0 day as trying to target everybody who knows about tiananmen square 1989 will lead to it being discovered faster). Again, regular browsers are affected by this too, and the only risk is dark web publishers might be more sketchy, but earning millions of dollars and potentially a job as a professional hacker with NSO group is probably more lucrative than hacking a few hundred people who visit their sites. TO BE EXTRA SAFE: it is good practice to set the security level in Tor settings to “safer” or “safest”. This disables lots of common attack vectors that have had security issues in the past (although “safest” disables JavaScript, preventing anything interactive from working, which is why I personally like “safer”). Some websites may break a little, but hidden services won’t as much because they know their target audience will use these modes. IMPORTANT: your coworker should follow proper Tor OPSEC when using it - that means no installing extensions, when logging in to an account on Tor assume you have as much privacy as using a norm browser, don’t use tor with another browser open (this isn’t to prevent hacking, just extra paranoia just in case, feel free to ignore this if it’s too annoying). I’d recommend this video series (watch part 2 also) to learn this.
Regarding screenshots and screen recording: if its not your coworker bringing stuff back from the West, they don’t have to do that in China - right click saving and downloading videos is safe. Just don’t download and run any untrusted executables.
Regarding bridges: there are mechanisms to prevent bridges from running out - the same IP returns the same bridges, each IP “range” (an ISP, a cloud hoster, etc) gets a pool of bridges (to prevent someone controlling all the IPs in a range to get all the bridges), there is a captcha (although its pretty bad and something you could break as a weekend project). You could get am obfs4 bridge and hope it works, but once it doesn’t (it’ll get found out eventually) you’ll need to get more somehow. Chinese online communities probably have better ways to get bridges - China has literally hired wumaos to solve Tor bridge captchas and eminent domained IPs from a bunch if Chinese ranges (temporarily) to block all the bridges one time.
Regarding getting it compromised: all bridges are obviously not in China, and Western nations would be more than happy to stop China from somehow seizing servers not physically in China. Lots of non-obfs4 bridges like meek are run by Tor themselves. If one is somehow compromised, it’ll be equivelant to a guard node compromise, meaning they’ll know your IP and when you use Tor, but nothing else (most bridges also don’t log, so the government has to start a covert bridge from scratch). Because of something called NAT (and even more so with CGNAT), your IP rotates to different people periodically, and CGNAT makes a bunch of people share the same IP. That means they have to ask your coworker’s ISP for logs to target them, which is very unlikely as that is a waste of resources. The current state of the art of “breaking Tor” that doesn’t rely on vulnerabilities is timing attacks, which requires lots of time, is too expensive to do on a large scale, and requires at least the guard/bridge and exit nodes to be compromised/monitored which is something only the NSA et al could plausibly do (as before, China doesn’t control the Internet access of a single Tor node, so the only way they do this is to buy a lot of servers in another country, a stunt some countries have tried before). In general, breaking Tor is so expensive that they’d only plausibly do it for high value targets like people they know are spreading dissent, and that usually only proves they visited a particular site (AFAIK, even this doesn’t work for onion services) or that they used Tor. Still, just in case your friend should auto update Tor or at least remember to update it frequently.
Sorry if this was too long. Hope your coworker will do well going back. Your coworker might be interested in this and his associated commentaries on Party ideology, if they haven’t seen it already.