Assuming “safe sites” means “websites that don’t use ads and don’t require a recent browser”: very little, as long as you have your firewall on. Setting up a domain whitelist like that and making those websites work with shims for every source of third party code is a pain, though.

If your PC gets hacked it’ll probably become part of a botnet and DDoS websites, even if you don’t have anything you care about on there. Don’t be a dick, don’t let your PC become part of a botnet.

People get wrecked all the time because everything from news websites to social media will load third party scripts at some point. If you use an offline email program, you’ll receive emails containing the same shit. Attachments from people you know who got hacked are a common way to get hacked.

The biggest risk for using outdated operating systems with modern computer use isn’t necessarily getting hacked directly, like Windows XP used to suffer from, but the tools you use no longer producing updates for your OS. No software company is going to maintain a Windows XP version of their latest tool and go through all the steps for securing it when they need to build the sandboxing and memory protection code themselves, while modern operating systems have that stuff built in. Letting competitors use newer and better tooling to get their software out quicker is a risk, and very little recent tooling bothers to support Windows 7.

You won’t magically get hacked by simply having an old computer in your network, but doing stuff people actually like to do on computers is a quick way to get hacked. This is why DOS and Win9x systems are still running factories and why XP is still usable for running X-ray machines; it’s okay if you lock down the code that can be run tightly enough.