2016 Forest Level with XP Computers in domain

The FFL and DFL only affect Domain Controllers. that being said, having XP machines on a 2016 domain (or any domain ) is a huge Security risk. IThey have been out of support for years and are a vector for viruses like wannacry. As long as you have all 2016 (or 2019) DCs you can raise the FFL. If you already have a 2016 DC and XP machines, then you already have had to lower SMB to 1.0 which leaves your network at risk.

  All that being said, XP is EOL (for a long time) and nothing at all is guaranteed. However, I have not seen any issues beyond the SMB version. I would recommend you upgrade your machines

Forgot to add, your Domains (all of them) must be at 2016 DFL to raise the Forest Level

You selected an incorrect solution PDIS

If you already have a 2016 DC and XP machines, then you already have had to lower SMB to 1.0 which leaves your network at risk.

Without enabling SMB 1.0 (bad idea) legacy devices will not pull GPOs. DFF and FFL does affect all operating systems, not just server OS'es

So if we have XP machines currently on our network, which we do and I have no choice but to allow then if they are authenticating with our Server 2008 or Server 2016 DCs then we would have SMB 1.0 enabled already, correct?  Are GPOs the only issue?  Can we just create local GPOs for the XP machines and not enable SMB 1.0?

If your XP machines are already pulling GPOs from a 2016 DC, then you are probably OK. It isn't just GPOs that can be affected. However, if you have a 2008 DC now, you can't upgrade the Forest level or Domain level until it is gone. Server 2016 FFL and DFL require Server 2016 or Server 2019 DCs. No downlevel DCs are supported.