Viruses don’t need to be .exes by the way. There were spectre/meltdown proofs of concept that only ever used front end JavaScript.
Because the modern style of CPU attack (zenbleed too) usually side chains access to private memory (where your authentication details exist) they can get full system control without executing any .exes.
That computer would need a firewall disabling all incoming traffic, the latest bios firmware patches and js disabled on Firefox to be close to safe. And that’s the base level stuff.