"Macs don't get viruses" was closer to true years ago when Windows dominated market share so heavily that malware authors simply didn't bother targeting the smaller Mac user base. That calculation has shifted.
Mac market share has grown enough, especially among higher-income users attractive to attackers, that Mac-targeted malware has become a real and growing category — adware, browser hijackers, and increasingly ransomware variants specifically built for macOS now exist in meaningful numbers.
Apple's built-in XProtect and Gatekeeper provide real baseline protection against known malware signatures and unsigned software — this isn't nothing, and it's more robust than older macOS versions had. It's not, however, comprehensive real-time protection against newly emerging threats the way a dedicated security suite aims to be.
The biggest realistic risk for most Mac users isn't traditional viruses — it's phishing, malicious browser extensions, and social-engineering-based scams that trick a user into installing something harmful, which OS-level protection can't fully prevent since the user is the one clicking "allow."
For most individual users with reasonable browsing habits, macOS's built-in protection plus basic caution covers a lot. For businesses, anyone handling sensitive data, or anyone wanting protection against the newer phishing and social-engineering-driven threats specifically, dedicated Mac security software adds real, non-redundant protection rather than just duplicating what's already built in.