Are there any risks to a personal device in taking the suggested steps?
If by “personal device” you mean a mobile phone or tablet, the email apps on most such devices have fewer features than the equivalent email client application on a desktop or laptop computer, so the steps I listed may not be possible on a personal device, and you would need to either save the file or extract the message headers using the email client on your desktop or laptop.
As to the “risk”, the only risk to you is that of information exposure; if you take a genuine confidential email message, save it in its entirety it and then provide it to a third party, you are providing them with the confidential information. If is it a government body like ScamWatch, you can reasonably assume they will treat it appropriately, but there is of course no guarantee. If it’s a scam message, it is very unlikely to contain confidential information, so this isn’t a risk.
Providing just the message headers supplies much less information, but the information may still be confidential from your perspective if it is a genuine email message eg details about the sender such as their email address, IP address and email client. Again, if it is a scam message, this is unlikely to be an issue unless you consider your own email address and IP address to be confidential, because these are also included in the message headers.
In summary, taking the steps I described previously will generally not be possible on a mobile phone or tablet, but if done on a desktop or laptop, carries no risk to yourself or your devices if you are doing so to provide scam email messages to ScamWatch.
One might expect ScamWatch would offer similar examples and advice to those reporting
Each mail client has its own method of saving raw messages and extracting message headers, so ScamWatch can only provide general guidance, just as I have done.
However, if ScamWatch can see that you are the first reporter of what appears to be a major new attack (not just the hundredth person today to report a Nigerian Prince email), they will probably want to investigate promptly and in detail, and may reach out to you personally and have you assist them, which may well involve them giving you specific instructions related to your email client for you to provide them with further information.
To be fair to ScamWatch, any criminal with the time, inclination and some computer skills can attempt to scam thousands or millions of people around the world and there is little if anything ScamWatch can do to prevent this. Their role is more around educating businesses and the general public, monitoring trends and liaising with other organisations (Microsoft/Apple/Google as operating system suppliers, web site hosting services, mobile carriers, ISPs etc) to have them fix security bugs, block illegitimate traffic, evict illegitimate users of their services and so on.