If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
No. That still works of course, but there are other ways. You wouldn’t believe how much stuff your browser actually executes.
Believe me, you won’t believe it
edit: nvm, thanks for the answer.