String eval does what it implies on the packet - it evaluates a string as though it were Perl source code. Given that that string could include user input there is the very real possibility that malicious user supplied code could be run with whatever credentials your executing script has. Often that's a pretty wide open door to do nasty stuff.

Block eval on the other hand is much more like the try / catch blocks provided in other languages. It allows a way to manage execution errors generated within the eval. For example:

my $ok = eval {
    # code that might call die to signal that something has gone wrong
    ...
    return 1;
} or do {
    # error handler code
    my $error = $@;

    ...
};
[download]

Any die executed within the eval block is handled by the do block allowing error recovery or at least nice error reporting. die and block eval is a very nice way to handle errors without having to hand explicit success back from called code. That helps make code much cleaner and makes it easier to manage error handling correctly.