Or am i still just overthinking it and fearing the monsters under my cpu?
In my opinion, other measures are more important, like applying security baselines und using application control (preferably WDAC). The latter will also hinder accidentally running something, like clicking on an executable covering as a different file type or malware dropping a payload on disk and running it, at the expense of more maintenance and less flexibility. You can make Windows Defender have better detection rates by using Cloud Protection, Automatic Sample Submission and Block On First Sight, at the expense of giving a lot of data to Microsoft. And you can upload every executable you download to Virustotal for multi-AV checks, or use winget to install and update software which has additional checks in place and barely any downsides.