Block all softwareupdated connections, block SoftwareUpdateNotificationManager, SoftwareUpdateLauncher, block mesu.apple.com specifically for nsurlsessiond but you could apply it globally. I have also blocked systemmigrationd from accessing
swcdn.apple.com and swscan.apple.com, as LS tells me those are for OS updates.
Might need to block mobileassetd as well, for gdmf.apple.com. I already have it blocked as that's what's used for AI.
I should note that I have disabled all of the default LS rules that trust iCloud/macOS services, so I manually approve or deny any connection, even system. I basically just blocked everything that looked like a software update checker.
No, you have to take a look at your potential attack vectors. Someone could, theoretically, craft an exploit that can get you from the wide web through your router to your computer. This relies on either you exposing ports through your router, or your router being insecure. So, make sure you have your router up-to-date, and don't forward ports unless you're certain you trust the service running on that port. Additionally, have a firewall. One that's set to block incoming connections. The section above talks about Little Snitch, but there are free options including the built-in macOS one, as well as LuLu. In order to successfully attack you someone would have to go through your router, exploit a vulnerability in your network stack, then likely combine that with other vulnerabilities.
Otherwise, you're vulnerable to the software you download and open. Don't download untrusted software. You can upload software to virustotal, it will tell you if it detects any viruses. It's mostly basic computer security. Use an adblocker (this is even recommended by the FBI).
Most macOS malware these days tends to be more of the info-stealer variety, rather than the deep-penetrating software we've seen in the past. So, of course, use password managers, 2FA, etc. And yes, you are far more vulnerable to Social Engineering style attacks nowadays.
support.apple.com
arstechnica.com
