If clients were designed to warn their users when a soft fork happens, then it could be done reasonably safely. The reference client does this (or is it just for high POW softforks?), but many SPV clients don't.

If there was a delay between version number changing and the rule activation, at least nodes would get a warning recommending that they update.

* At each difficulty interval, if 950 of the last 1000 blocks have the new version number, reject the old version blocks from then on.

* Start new target at 255, the least significant byte must be less than or equal to the target

* Update target at each difficulty re-targetting

T = ((T << 3) - T) >> 3

This increases the difficulty by around 12.5% per fortnight. After 64 weeks, the target would reach 0 and stay there meaning that the difficulty would be 256 times higher than what is given in the header.

An attacker with 2% of the network power could create 5 blocks for every block produced by the rest of the network.