As an aside, it looks like from Exclude-binary-overlap-by-ownership flag is not working some users expect that the exclude binary files by ownership overlap will already remove other packages.
I think the concern here is that if I’m on a distro that only reports vulns after they’re patched, and I install an OS package that brings with it a Python package, then GHSA on the Python package is the best source of vulnerability data I have until the distro releases a patch or changes their reporting policy.