>or even zero-click exploits.

You'd need a VM to safely contain any exploits, although you're probably safe from 0days if you're just doing some run of the mill ad clicking. Nobody is burning a 6-7 figure 0day on a public ad network, when they need to save that for targeted attacks like politicians/journalists, so keeping your browser reasonably up to date will be sufficient.

For sure, it would be technically challenging. Especially if the click requires use of a secure cookie. But it doesn’t have to be perfect to be effective, either, at least at first.