There were 2 separate risks bundled into this folklore.

One was it was common enough of to have a home internet setup without any inbound filtering external to the PC. That'd be nearly unheard of nowadays as nearly everyone has a router configured to perform as stateful firewall (the out of the box config of a home router, this system being the same underlying system that builds the session table for masquerade NAT). So you can have your XP machine sit there until the cows come home, nothing external is going to scan it anymore.

The other is just general "having internet access means malware can upload your information and download more malware". In practice for hacking with XP these days, that's "do you trust whatever you're copying over to mess with" and not an issue.

The only combination I'd caution against is "using XP as a daily driver for internet browsing" as there are unpatched security bugs in XP malware can target which don't require you to click anything, even in the somewhat more modern browser offerings. Even then, it's still just a matter of "how much do you care if this machine & the data on it get hacked" vs "how much do you want to do it that way" just like any other security question. There is no such thing as a universally agreed line on how much constitutes a bad risk in security.