@algernon That's a good point, which brings us back to the question of whether security boundaries can be defined for a kernel that is used in numerous ways. I'd argue that at least some reasonable bar should be drawn, and at least some of the current CVE's shouldn't qualify, see:
https://twitter.com/ky1ebot/status/1762903790536327237 (there was also a variable renaming commit IIRC...)
If a product violates those assumptions e.g. opens up an API for low-priv users, it should be their problem, their CVE, etc.