tl;dr: if in doubt, watch your devices kernel source repository
the android security bulletins have 2 “patch level dates”, one for framework, one for kernel and firmware.
In general, Lineage and /e/ releases for devices outside their manufacturer support mostly have the framework patches, not necessarily kernel (for EoL kernels) and firmware. A subsequent patch level doesn’t mean they covered the last months kernel/firmware.
If the manufacturer isn’t issuing updates anymore, it’s up to the individual maintainers to do kernel backports.
Answer is pretty device and maintainer specific. I think most older devices have the kernel that last saw a GPL release and nothing in between.
There’s an autopatcher by DivestOS that backports what has an CVE. Alot of issues don’t get an CVE assigned though (but very public / critical ones do). A soft guideline by Lineage for maintainers and kernel problems is “if the issue breaks the news or has its own logo, pls patch”).
Newer device having seen their market release with Android 11 and 12 have GKI kernels that are a lot easier for maintainers to keep updated.