If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
The malware doesn’t usually attack windows through windows communications. They usually enter through browser traffic and effect other operations from there. That is where the risk is coming from using windows after its end date. Any new exploits found will not be fixed (except for business licenses I think they’re still doing those for a little while longer). I recommend doing what I did. Find a user friendly Linux version and take the plunge. I’m using Mint right now and it’s almost indistinguishable from my windows 10 console.
edit: nvm, thanks for the answer.