so here are some reasons for having a firewall on a computer, i did not read in the thread (could have missed them)
i have already written this but then lost the text again before it was saved :( so here a compact version:
having a second layer of defence, to prevent some of the direct impact of i.e. supply chain attacks like "upgrading" to an malicously manipulated version.
control things tightly and report strange behaviour as an early warning sign 'if' something happens, no matter if attacks or bugs.
learn how to tighten security and know better what to do in case you need it some day.
sleep more comfortable when knowing what you have done or prevented
compliance to some laws or customers buzzword matching whishes
the fun to do because you can
getting in touch with real life side quests, that you would never be aware of if you did not actively practiced by hardening your system.
one side quest example i stumbled upon:
imagine an attacker has ccompromised the vendor of a software you use on your machine. this software connects to some port eventually, but pings the target first before doing so (whatever! you say).
from time to time the ping does not go to the correct 11.22.33.44 of the service (weather app maybe) but to 0.11.22.33 looks like a bug you say, never mind.
could be something different.
pinging an IP that does not exist ensures that the connection tracking of your router keeps the entry until it expires, opening a time window that is much easier to hit even if clocks are a bit out of sync.
also as the attacker knows the IP that gets pinged (but its an outbound connection to an unreachable IP you say what could go wrong?)
lets assume the attacker knows the external IP of your router by other means (i.e. you've send an email to the attacker and your freemail provider hands over your external router address to him inside of an email received header, or the manipulated software updates an dyndns address, or the attacker just guesses your router has an address of your providers dial up range, no matter what.)
so the attacker knows when and from where (or what range) you will ping an unreachable IP address in exact what timeframe (the software running from cron, or in user space and pings at exact timeframes to the "buggy" IP address)
Then within that timeframe the attacker sends you an icmp unreachable packet to your routers external address, and puts the known buggy IP in the payload as the address that is unreachable. the router machtes the payload of the package, recognizes it is related to the known connection tracking entry and forwards the icmp unreachable to your workstation which in turn gives your application the information that the IP address of the attacker informs you that the buggy IP 0.11.22.33 cannot be reached by him. as the source IP of that packet is the IP of the attacker, that software can then open a TCP connection to that IP on port 443 and follow the instructions the attacker sends to it. Sure the attacker needs that backdoor already to exist and run on your workstation, and to know or guess your external IP address, but the actual behaviour of the software looks like normal, a bit buggy maybe, but there are exactly no informations within the software where the command and control server would be, only that it would respond to the icmp unreachable packet it would eventually receive. all connections are outgoing, but the attacker "connects" to his backdoor on your workstation through your NAT "Firewall" as if it did not exist while hiding the backdoor behind an occasional ping to an address that does not respond, either because the IP does not exist, or because it cannot respond due to DDos attack on the 100% sane IP that actually belongs to the service the App legitimately connects to or to a maintenance window, the provider of the manipulated software officially announces. the attacker just needs the IP to not respond or slooowly to increase the timeframe of connecting to his backdoor on your workstation before your router deletes the connectiin tracking entry of that unlucky ping.
if you don't understand how that example works, that is absolutely normal and i might be bad in explaining too. thinking out of the box around corners that only sometimes are corners to think around and only under very specific circumstances that could happen by chance, or could be directly or indirectly under control of the attacker while only revealing the attackers location in the exact moment of connection is not an easy task and can really destroy the feeling of achievable security (aka believe to have some "control") but this is not a common attack vector, only maybe an advanced one.
sometimes side quests can be more "informative" than the main course ;-)
so i would put that ("learn more", not the example above) as the main good reason to install a firewall and other security measures on your pc even if you'ld think you're okay without it.