I'll answer this question from a rather theoretical perspective.
"I've heard that websites that download malicious data onto the user's
computer without their consent do exist, but is this possible on an
iMac[...]?"
Yes. As others pointed out, this is independent of the operating system.
A web page contains or refers to — and thus causes the browser to load — data in various formats. As Serge described, the first thing loaded is plain HTML. It may have modern extensions like style sheets. The HTML may embed or refer to media of various kinds like images, sound files, videos, scripts or flash animations which may be downloaded and opened (i.e. decoded and then played or displayed) by the browser without any user interaction beyond opening the original page.
The problem is that in principle any decoder for a data format, including plain HTML, may have bugs which can be exploited. (1) This includes data which is normally totally "passive" like images (for an example with JPEG images see this Microsoft security bulletin from 2004). A trivial example from 20 years ago was a (formally correct) GIF file which expanded to a huge bitmap. An attempt to display it in a browser of viewer simply crashed the computer, which is a blunt denial of service attack. For an exploit the data presented on the page would be specially crafted to produce a misbehavior of the specific decoder which eventually allows the attacker to place executable code in the computer's memory which will then be executed. The original code can be small, say a jump to an operating system routine starting a shell.
The obvious mitigation strategy is to disable as many data formats as possible in the browser. No videos, no sound, no images, no scripting.
It may be worthwhile to repeat the mantra of the German blogger and security expert, Felix von Leitner. He is adamant that virus scanners only offer fake protection (he calls them snake oil). One reason is that they are never perfect and thus need a responsible user anyway. The second reason, relevant here, is that the virus scanner itself is a huge attack surface! Think about it. Modern scanners open and parse a dazzling plethora of file formats — the very process we have established as the main attack target. Felix lately linked to a project by Tavis Ormandy. He wrote a framework to load and run Windows DLLs under Linux. His motivation, as he writes in the README, was to fuzz test the MS security core engine:
MsMpEng is the Malware Protection service that is enabled by default
on Windows 8, 8.1, 10, Windows Server 2016, and so on. Additionally,
Microsoft Security Essentials, System Centre Endpoint Protection and
various other Microsoft security products share the same core engine.
The core component of MsMpEng responsible for scanning and analysis is
called mpengine. Mpengine is a vast and complex attack surface,
comprising of handlers for dozens of esoteric archive formats,
executable packers, full system emulators for various architectures
and interpreters for various languages. All of this code is accessible
to remote attackers.
The reason to mention this here is that even if your browser handles everything well, your anti virus program may, ironically, betray you, because it opens all files for you.
(1) leethax0r1337fawkes has a point though that
known bugs of this kind are rare and get fixed asap, for obvious reasons.