/e/ lacks privacy without taking exploits of unpatched security vulnerabilities into account due to having severe unpatched privacy vulnerabilities, lack of modern Android privacy protections and lack of important privacy features filling major gaps in Android privacy covered by iOS such as Contact Scopes and Storage Scopes. Some major gaps in privacy aren't covered by either Android or iOS such as a Sensors toggle, especially with how the sensors can be used to do rough recording of audio.

Taking advantage of privacy flaws in older versions of software is the norm and not treated as malware by most platforms, app stores, news sites or the public at large. Many widely used apps abuse privacy flaws in older Android versions. That happens both in the form of privacy bugs which were fixed in newer versions and weaknesses in the design addressed by newer OS versions. Only privacy patches for issues considered bugs which are assigned a High or Critical severity are backported. The severity is very subjective and they try to avoid adding a large number of backported patches since some OEMs struggle to keep up with it and adding more patches would make it harder. As an example, VPN leaks are only considered Low or Moderate severity issues by Android and don't get backported. Many other kinds of privacy issues are similarly only fixed for the latest OS releases. As another example, many important privacy improvements are not considered bug fixes at all and aren't candidates for being backported regardless of importance. Many privacy improvements require changing the APIs used by apps with new target API levels which can't be backported without breaking compatibility.

A large portion of the missing patches in /e/ we're referring to are privacy patches, not security patches. However, security patches are also needed to protect privacy. Many apps and services abuse the privacy vulnerabilities. The patches being referred to are a mix of both. A large subset are privacy patches, especially the Moderate and Low severity patches due to how they assign severity. Only certain particularly awful classes of privacy vulnerabilities can get considered High or Critical severity to be candidates for Android's backporting to older releases.

Apps exploiting security vulnerabilities to get code execution would be considered malware and is rare, but apps abusing many privacy flaws in older Android is the norm among mainstream apps. You're wrongly interpreting the regular stream of patches for vulnerabilities as only being for security issues when many are for privacy issues. With /e/, you aren't getting the bare minimum to protect privacy and security. Privacy also depends on security and is not an entirely separate thing as you're portraying it. We're not conflating them but rather they're very closely related. You're also disregarding privacy vulnerabilities and the steadily improving standard Android privacy protections.