If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn’t matter if Win is not updated?
No, also the browser is the thing that gets breached. It would be like bricking up all your windows so no one could break them and get in your house but only having a screen door in front.
Yes technically the browser alone is a “reduced attack surface”, but it’s reduced by .001%.
Switch to 21h2 ltsc iot.