"Download and run" is still the easiest and most common way to catch malware. Even sticking flash drives has become safe since Windows disabled autorun.
All sorts of exploits that allow an infection to penetrate your PC without requiring any action on your part do exist. They are closed in browser and operating system updates long before antiviruses develop a method for eliminating the "symptoms" of real vulnerabilities - those same worms and ransomware.
The inability to protect yourself from all threats with careful surfing does not mean that antivirus will protect you from these threats. I consider antivirus a convenient tool for removing existing malware, when it and its varieties have been known for a couple of months and you are going to repair the computer of an accountant or a girl you know who pressed the wrong button. The last time I saw a ransomware virus caught "from the browser" from an open page on a normal machine was about ten years ago.
The constant use of the same kaspersky or drweb does more harm than good, in terms of false positives, system slowdowns and increased power consumption on a laptop. The rest of the antiviruses show the same disadvantages, but more pronounced, and they catch rubbish even worse (personal experience).
In connection with all of the above, I do not approve of the constant use of an antivirus monitor, since they are not effective if you pulled a short match on a new exploit, but they slow down normal work.

Why do you need an antivirus?

Why do you need I do not know. This is what you need to ask.
Why do I need I know. And if I install an antivirus, then I install it to solve specific tasks known to me, and not because everyone else does it.

I want to know whether it is possible to get infected while walking on the Internet (without launching anything from the downloaded one).

But how will you surf the Internet without downloading anything?
That is, you sent a request to Yandex, but you do not download the answer to your request, that is, you do not receive and open the Yandex page? Are you just sending requests and not accepting responses? So?
Then of course you can't get sick.
And if you download - you can.

and what is the chance of being hacked through an exploit?

Such questions are best addressed to psychics or fortune tellers.
Without knowing what specific exploit is in question, and what system you have, and with what settings, only a professional clairvoyant and clearly hearing can answer this question.

It seems like the browser has a sandbox, how much will it save from such cases?

The sandbox isolates the code executed by the browser from the system. This is a protection mechanism that works and protects perfectly.
But any mechanism is not perfect, and sometimes it does not cope, or there are holes in the security of the mechanism.

For 2 years now I have not been using antivirus, even built into Win10. I actively use such extensions as NoScript and uBlock Origin (much better than AdBlock, at least in that it allows you to manually block scripts / styles / domains without a headache. Plus, there are a lot of subscriptions, for every taste, you don’t even need to search the forums). I download only from trusted sources. For the sake of interest, I periodically check the hardware for viral activity - the result is more than satisfactory, not a single malware in 2 years.

For an ordinary user, antivirus is better than not being. I haven't used it for a long time, but only because I know how to set up security systems on my computers.
As for "I just watch the pages and don't download anything, and if I download, I don't launch it" - any opening of the page is already downloading and launching. JS and plugins on pages, pictures that can exploit vulnerabilities in the browser or system. A friend "asked me to rewrite the file from the flash drive" and so on - there are a lot of vectors for malware to penetrate the computer, and not all of them require "download and run". Just a computer with a network connection is enough, and you already run the risk of winding up on the screws. The operating system also has vulnerabilities that can be exploited without any user intervention at all (see the mechanisms for spreading viruses such as SASSER, Blaster, Petya/NotPetya, BadRabbit, and others like that).

take an interest in the slang word scrap
is usually used when describing doorways

In light of the latest problems with processors, any action after turning on the power is dangerous.
Probability is problematic to calculate, because there is no way to calculate statistics
Chromium's sandbox was bypassed, cunningly, but bypassed. Google knowingly pays big money for its vulnerabilities

So that your gadget is not hacked. If it is hacked, then hackers can:
1) Withdraw money from you.
2) In some cases, hackers can sell your account. For example, an account from minecraft that you bought for money on the official website of modging.