There are two categories of threats:
- those that attack from a network (trying to connect to open ports and the like)
- those that attack from inside (usually through your browser or e-mail).
Running in a VM offers some protection against the first kind (but then being behind your home router also does...). For the second kind, your Windows machine is exposed to essentially the same threats as if it were running on "bare metal" (and same for Linux VM on Linux host).
Then what matters are the risks and the consequences.
- If you use the VM as your regular working machine then it must be protected like a regular working machine running on the hardware.
- If you have only very specific uses (testing a Windows version of something for instance...), hardly use the web on it (and only on safe sites) and can easily rebuild the machine(*), then you can lower your protections (but don't give the VM access to your whole host file hierarchy through shared folders...)
(*) ideally you start from a fresh machine each time...