However, you can create a blank descriptor wallet and import the watchonly descriptors for the 2 addresses you used. You can then use this wallet to create a PSBT sending the coins somewhere else. The PSBT can be transferred to the offline machine to be signed, and back to the online one for broadcast.
With such a wallet, there is no risk for loss because of change as the wallet will be unable to generate any change addresses, so if any change is needed, it will simply fail to create the transaction. You can further reduce risk here by using the sendall RPC.
Or the corresponding button in the GUI? Thanks for the explanation, that helps me a lot!
I have two more questions if you have time to answer.
1. I have imported one of the descriptors (pkh) on the online machine. The daemon has started a rescan. This probably takes a very long time in my case. The RPC call ended with a timeout at some point. But the daemon continued rescanning. Then I terminated the daemon as a test and started it again. But it does not continue with the rescan after restart. I know that the displayed balance is correct, but why doesn't it continue the rescan or start it again? I have also reloaded the wallet.
2. I have received 4 descriptors with the same pubkey for each legacy address. The types are pk, pkh, sh(wpkh), wpkh. I have now used the pkh descriptor. But could I also use the others? What should I use? I would like to transfer the coins to a Segwit address (bc1).