While there are many malware which spread over USB storage was very common, i only recall very few malware which also move sensitive data/file over USB storage with goal uploading to creator's server.
That's true. Aside from networking, you'll only use small portion of the storage and barely use the CPU/GPU. It's one of reason people also prefer to use their old PC or laptop.
Yeah this is exactly why I thought of using RPi Zero. The only problem is that I can't find any RPi Zero without WiFi (the non-W version). At least where I live, it's difficult to find.
But if you can find W version easily, consider buying that and uninstall both WiFi and Bluetooth driver.