I use a Mac primarily at home and don't bother with anti-virus, even though I work in infosec as my day job. It's not that Macs are magically less vulnerable, but instead it's that, generally, there is less malware written targeting Macs. And most malware that DOES impact Macs is distributed by reckless clicking, so you can avoid it pretty easily if you just don't click on suspicious stuff. That said, I do use AV on my work Macs, but that's more sensitive than anything I do on my home computer (AV is also part of our company's security standards, also).
On Windows, however, AV is pretty much a necessity. Windows systems are extremely vulnerable to malware, as they represent the bulk of OS installs worldwide and so the majority of attacks are written to attack them. Windows Defender is not enough. Most of the big, trusted companies will work fine for consumer level protection (Norton, McAfee, etc). I don't interact with consumer-level AV anymore, so I can't recommend one in specific, but you'll likely be fine with Norton.
Additionally, and possibly more important than AV, you need to stay on top of your Windows updates. The worst attacks generally come from running unpatched software. Set your OS to update automatically, weekly if possible, and don't put off updates if they require a reboot more than a day or so. Make sure any software you use is also updated regularly, too.
Keep your systems and software updated, maintain AV on your Windows box, don't click on suspicious links or open suspicious emails, don't download off shady websites, and you'll likely never have a problem with bad actors and malicious software.
Definitely agree that Macs have traditionally been less of a target, but not immune from security holes. I worked in IT for twenty years, cyber security for seven of them.
Do you need anti-malware for a Mac? The responsible answer is "probably yes", kinda like if someone were to ask if they should have insurance on their camera gear. Practically, at this point in time, possibly not.
In many ways it's a risk decision like insurance. Anti-malware solutions are meant to reduce the impact of malware, but if your likelihood of compromise via malware or an unpatched system is very low, then it might be reasonable to accept the risk and forego an anti-malware solution. One way you might mitigate the risk without AV is to practice all the good security and backup practices. Staying up to date on patches, ensuring frequent offline backups, not reusing passwords, etc.