In my opinion, OSA alongside your main AV may be sufficient for a good security level.
I'd enable "block the execution of unsigned processes on Local AppData"
and "block the execution of unsigned processes on Roaming AppData", folders that usually contain ransomware exe files.
BTW some malware are fake-signed and in this case, some detection problems could happen.