For your number 1, I have moved completely to Safari for almost everything. Also added Wipr for ad blocking and iVerify on iOS for forcing https only connections. I still keep an updated Firefox browser on my MacBook if I ever want to disassociate web activity from Safari.
For your number 2 what seems dangerous can be in the eye of the beholder. Malicious web fonts has been a favorite of one and zero-click malware threat actors like NSO and the Chinese intelligence service. The later often poison seemingly legitimate websites focused on human rights with malicious web fonts used to deploy advanced spyware on iOS.
As for attachments not being blocked, I assume you mean in email? iMessage blocks most attachment formats including common image file types and all PDFs. For email I use Protonmail and have all automatic downloads/remote content turned off for all emails. Similar settings exist for Apple mail.
But you are right that there are additional low hanging fruit Apple can do to harden Lockdown Mode or at least offer additional hardening options for users who want them. I suspect they will do exactly that as they have promised to continue updating Lockdown Mode and have delivered some improvements in the short time it has been around. Considering how few people utilize Lockdown Mode I think the fact they focus on it, offer it to anyone that wants it, and have a proven track record of blocking state-level malware reflects very well on Apple’s security team.