Thanks for all those info, really useful.
So to sum up, a common P2PKH transaction with 1 input and 2 outputs w.r.t the hashes and signature needs the following:
Input ECDSA signature: ~70 bytes (64 in taproot)
Input ECDSA public key: 33 bytes
For each output hash: 20 bytes
Not quite. As explained above, you can't just insert the public key or the output locking script on their own. You need to include additional OP codes which tell the software what to do with the data.
For including the public key in the signature, you need to include a byte saying how long that public key is. For a 33 byte compressed public key, you would prefix it with 0x21 (with 21 being the hex representation of 33). So that becomes 34 bytes in total.
For the output locking script, you need to prefix with a byte saying how long the script is, followed by OP_DUP, OP_HASH160, OP_PUSH (20 bytes), then the 20 byte pubkey hash, then OP_EQUALVERIFY and OP_CHECKSIG. This would look like this:
0x1976a914-PUBKEYHASH-88ac
So instead of just 20 bytes, the whole thing becomes 26 bytes.