Which means that I can give you the primary address and it will generate a new address behind the scenes for every transaction?
Correct. The short explanation is basically ECDH. You create a new random key pair for each transaction, and use your one time private key and my shared public key to generate a new address. I can calculate the same address by using your public key (which is attached to the transaction) and my private key. For the long explanation, see section 5.4.1 here:
https://masteringmonero.com/book/Mastering%20Monero%20First%20Edition%20by%20SerHack%20and%20Monero%20Community.pdfPerhaps I could create a wallet on another offline device, sign the TX and then import it to the node's wallet to be broadcast ?
Yes, this is the correct method. Create your wallet on your airgapped computer, and then export your private view key to your online computer to create a view only wallet. Alternatively, create your wallet on your airgapped computer, and then in the GUI go to Settings -> Wallet -> Create a view only wallet.