If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
it wouldn’t prevent all vulnerabilities so theoretically you can still be pwned but practically that’s going to work for most cases imo. I’ve done this in the past, block everything except for some proxy port then configure the browser to use that proxy, and use nuTensor/uBlock Origin on the browser to only allow essential things.
If you’re talking about Windows 10, install Win10 Enterprise IoT LTSC 21H2 and disable all the telemetry craps. That gives you a clean(?) Windows setup with support until 2032.