based on what is currently known, arch was never vulnerable to the backdoor that was discovered. arch doesn't patch sshd so that it links systemd like how debuntu/fedora do, which was a requirement for the backdoor.
ofc this doesn't rule out any as-of-yet unknown vulnerabilities in xz/liblzma.
i used to have a custom domain email forwarded to gmail that would receive github notification emails and the same thing happened to me with those a couple months ago
also noteworthy is that grep -P will now use PCRE2 instead of PCRE, which is potentially a breaking change for anyone using grep -P in their shell scripts
for all of the requests to their api, it constructs a very long query string that is a basic fingerprint of your browser/os. then the query needs to be signed (or else the api returns a captcha), which is done by a blob of encrypted/obfuscated-beyond-recovery JS that uses a more comprehensive browser fingerprint to validate the query string and generate a token that is appended to the query. there's another required query param which involves an xhr to phone home so that presumably the fingerprints can be checked server-side. finally all of your fingerprint data is sent to their api where it lives happily ever after and you get some 15 second videos to watch
i think element (matrix) could work for you. it can't do email notifications, but if you have the mobile client on your phone you can get push notifications.
ofc this doesn't rule out any as-of-yet unknown vulnerabilities in xz/liblzma.