Does this mean your testing is only revolving around risk-based testing?
I use product risks to prioritise my tests. In case of doubt I can talk with the product owner, the help desk, or someone else.
Can there be risks that haven’t been discovered yet that you’re not looking for?
There are always unknown unknowns. I use exploratory testing to handle these situations.
Who’s defining the product risks?
According to me this is a group effort. People with different roles are needed like a product owner, a programmer, and a tester. This is based on the Three Amigos. Depending on the product risks, other people from another department like legal could be involved.
Is product quality about wining at something?
This question is not completely clear to me. I interpret the question as follows: must the tester determine whether the product quality is good enough for the new release?
If there are clear requirements or acceptance criteria, then the tester can tell whether a new version can be released. In other cases the tester can only provide information about the system.
Are you focusing only on the highest product risks? Or does that depend on a number of contextual factors?
A product risk could be determined by likelihood and impact. In some cases this is not enough. For security related product risks, attack vectors can have a major impact on testing.
What about project and business risk? are they not supposed to be considered as well, together with product risk?
The product owner or project leader must take this all into account. If a bug cost 300K Euro a year and the new release will increase revenue with 800K Euro, then the choice looks obvious. According to me this is not up to the tester.
It is also possible to tell the business, that certain product risks have not been tested.