As it's been mentioned, it's not always questionable websites. Security patches come after an exploit, so it's never safe to assume you're 100% secure on unquestionable sites.
It wasn't too long ago that a crafty user using some key escape characters could execute JavaScript within a comment box on a website. Heck, I still come across reputable (as in, not porn/drug related) websites that are vulnerable to injection. Some of this stuff can be patched by the browser (e.g. cross-script) after they know about it.
Welp, to keep it simple, you are right. But before this exploit existince people should have always practiced better online security. I don’t doubt normal sites or ads being infected can cause issues. My argument is that people should have always been using the “trust no one” mentality.
All of my important stuff is done on a different computer, all of them are 2FA enabled. Even my gaming services like steam, blizzard are 2FA.