Windows Update does seem to have become more aggressive, although MS will say that Windows 10 have done this since 1607.
The policy settings below do seem to help to tame WU
Policy Path: Computer Configuration\Administrative Templates\Windows Component\Window Update
Policy Name: Specify intranet Microsoft update service location
Setting: Enabled (and just configure an incorrect URL, such as “…” so updates connot be found)
Policy Name: Remove access to use all Windows Update Features.
Policy Name: Configure Automatic Updates
Policy Name: Do not allow update deferral policies to cause scans against Windows Update
Policy Path: Computer Configuration\Administrative Templates\System
Policy Name: Specify settings for optional component installation and component repair