Safari on iOS 12 has a security mechanism in place to make sure malicious websites aren’t displaying a software keyboard that mimics the iOS one in order to act as a keylogger.
To trigger the warning: open a webpage in full-screen mode, for example a full-screen video on YouTube’s mobile website. Then tap several times at the bottom of the screen, as if you were typing on an invisible keyboard.
A warning message will appear telling you the website may be showing you a fake keyboard to trick you into disclosing personal or financial information.
Worth reading the comments on this page.
Note that this seems to only work on an iPad (something to do with the way iPad supports a full-screen mode that iPhone does not).
I have not been able to replicate this, but I am running a beta, so that might be an issue. A number of people have replicated this. If you can, please do ping me with specifics.
And here’s a screen shot of the warning message.