What a wonderful scenario that I actually hadn’t considered before!
The short answer is yes, you should be quite safe. The longer answer is that you should be quite safe as long as you practice safe computing and you know what you’re looking out for.
Become a Patron of Ask Leo! and go ad-free!
Malware is about more than email
First, this is about much more than just email.
Basically, any files originating from a Windows XP machine will be at a very slightly higher risk of including malware. Before the XP people get all upset, I want to emphasize, the risk will be only slightly higher. I don’t think this is a huge issue, but there’s no avoiding the fact that XP will have un-patched vulnerabilities; and that means that whether things that originated from an XP machine are safe will depend much more heavily now on the safety savvy of its user; which by definition is kind of a wild card.
So whether the file comes via email, CD, USB stick, memory card or some other way, the slightly elevated risks are all the same.
Attachments and malware and threats, oh my!
You’re right in that when it comes to email, the primary worry is about attachments. And you’re correct that plain email without attachments is unlikely to actually carry malware.
However, what you also need to be concerned about might be phishing attempts. Malware on your friend’s machine could theoretically access his email and start sending well-crafted messages that somehow result in your clicking a link because you think it’s from your friend, when it’s not. That link could lead you to malware.
Now, absolutely none of these are new threats. None of these hazards are unique to XP users; they happen all the time for various reasons. While a small amount of additional caution might be warranted with your XP-loving friends, it’s not something that causes me great concern.
What matters most is that you just keep yourself safe from these threats in general.
You know the litany: keep your system up to date; keep your security up to date, and just practice safe internet.