There's no such thing as legacy descriptors.

You cannot mix both watchonly descriptors and descriptors with private keys in the same wallet.

However, you can create a blank descriptor wallet and import the watchonly descriptors for the 2 addresses you used. You can then use this wallet to create a PSBT sending the coins somewhere else. The PSBT can be transferred to the offline machine to be signed, and back to the online one for broadcast.

With such a wallet, there is no risk for loss because of change as the wallet will be unable to generate any change addresses, so if any change is needed, it will simply fail to create the transaction. You can further reduce risk here by using the sendall RPC.