I’d expected a question like that. It security is a litte bit like fighting a war (maybe just a cold war), you have to pick your battles.
You can threat over how to stay save while having malware on your device, but that’s the wrong battle to fight, when you can choose. So instead you can put your effort into preventing malware from getting onto your device, how to detect malware as early as possible and how to get rid of it as fast as possible and thoroughly.
You gave an example with the question “which password input method could be how vulnerable to a cross site scripting attack?” which is the wrong approach in my opinion. The right questions would be “how can I check if the website I’m having an account on might be vulnerable to cross site scripting?“, “how do I report such a vulnerability to the website provider?“ and “how do make sure its fixed in the end?“, “how can I mitigate the risk, with this vulnerable site in the meantime? - do I have to use it? can I use it within an isolated environment? ….“
By picking your battles wisely you can improve your situation a lot.
The last part of the puzzle would be compartmentalization and backup strategies but that’s to far of topic.
So I’d like concentrate more on perspective now. Every attacker has limited resources to spend, a certain tolerance for risk and a limited set of capabilities. Also every attacker works for a potential gain. Your job as a defender is to make yourself (and your zone of responsibility) into such a hard target, that you are far outside the scope of every likely attacker.
For example:
A normal uninteresting person, using a hardware key (FIDO2) for their Google account is far outside of the scope of many attackers. Phishing would not work. Stealing or guessing the password is a dead end, because without physical access to a hardware key it’s mostly worthless. Getting physical access would require a human spending much time on a single target and taking a high risk. The further away the target is from an attacker, the higher the cost (travel) and risk. So a remote attack is actually limited to getting info stealer malware on a targets device to get a session cookie and that’s is a much more involved process.
So if you are an attacker and just trying to find a target, you will find soft targets enough: These are people who use the same password everywhere, who have weak passwords, who don’t use 2FA, who can’t read URLs and therefore can’t differentiate between “genuine-bank.com“ and “genuine-bank-com.please-login.com“, who open links to genuine looking login pages in urgent sounding emails, who don’t report their mistakes and just hope no one did notice and nothing bad happens and so on and on and on … - For the same potential reward, you don’t go for the hard targets, because those require more resources and heighten the risk you take, without giving you any benefits.