based on what is currently known, arch was never vulnerable to the backdoor that was discovered. arch doesn't patch sshd so that it links systemd like how debuntu/fedora do, which was a requirement for the backdoor.
ofc this doesn't rule out any as-of-yet unknown vulnerabilities in xz/liblzma.
i used to have a custom domain email forwarded to gmail that would receive github notification emails and the same thing happened to me with those a couple months ago
also noteworthy is that grep -P will now use PCRE2 instead of PCRE, which is potentially a breaking change for anyone using grep -P in their shell scripts
for all of the requests to their api, it constructs a very long query string that is a basic fingerprint of your browser/os. then the query needs to be signed (or else the api returns a captcha), which is done by a blob of encrypted/obfuscated-beyond-recovery JS that uses a more comprehensive browser fingerprint to validate the query string and generate a token that is appended to the query. there's another required query param which involves an xhr to phone home so that presumably the fingerprints can be checked server-side. finally all of your fingerprint data is sent to their api where it lives happily ever after and you get some 15 second videos to watch
i think element (matrix) could work for you. it can't do email notifications, but if you have the mobile client on your phone you can get push notifications.
i used to work in health care, and the website for a certain medical board stores all of its licensees' passwords in plaintext. i am no longer licensed with that board, but i can't remove any of my data. a breach seems inevitable.
ofc this doesn't rule out any as-of-yet unknown vulnerabilities in xz/liblzma.