If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
All breaches i’ve seen so far where either “i tought it was safe” or the “yeah it looked a bit suspicious but I clicked it just to see”