Ignoring the exposure, one can say the probability is very low to have any vulnerability exploited (I agree), but it’s another school of thought.
The kernel counts toward vendor patch level in devices that came to market pre A12, not only periphery firmware. The story is muddied per (LineageOS-) maintainer, but they do backport to ancient kernels. Google GKI grabs some code back into the system patch level (true for FP5), but vendor code is very much not “a small portion of code the phone actually runs” - that is a misconception, no idea how you came to that conclusion.
The OP is more of a logistics topic and I root for murena to get it right. First impressions.