If you enable "classic link" for an EC2-classic instance, it will be able to talk to your VPC.
Your existing EC2-security group (assigned to the classic server) - controls all traffic to EC2-classic instance EXCEPT for the traffic with the linked VPC (according to the docs).
That traffic - between the EC2-classic instance and the VPS - is controlled by a separate security group that you assign when you set up this "classic link".
Now. Is it safe to simply allow all traffic on all ports in this VPC security group? Assuming, it connects only to my private VPC anyway.
I guess my question is - when a classic link is enabled, it "links" my EC2-instance to my and only my VPC, correct? No other traffic can physically get through this link, am I right? Thanks.
That's the idea -- the associated VPC security group only controls traffic from the VPC to the Classiclink instance and back. Access to EC2 Classic instances via the classic network infrastructure is controlled only by the classic security groups, and Classiclink connections do not enable any transit traffic through the VPC to the instance (such as from the Internet Gateway).
Of course, "allow all" is not best practice, even in a secure environment. Only what needs to be allowed should be allowed, so even though your understanding seems correct, and in this case "all" doesn't mean "all," it's still not ideal.
Speaking of not ideal, EC2 Classic is not ideal anyway. Plan to migrate your services into the VPC. New accounts don't even offer EC2 Classic any more, and once you're done, you can have AWS support permanently disable it for your account, and give you Default VPCs in all regions, instead, which have some of the same simplicity-oriented behaviors of EC2 Classic. See "I really want a Default VPC" in the VPC FAQ.