Respond by using 2fa if you weren't already, not signing into the account from untrusted devices, checking OAuth grants for apps you don't recognize, not using same pw elsewhere
Yeah, we were doing that, so the response was to just shrug. Without a lot more context it's hard to know what your reaction should be to something like that.
I can only guess, but I suppose the context in which they would trigger something like this would be that some of their accounts get hijacked to send things to a bunch of email addresses, which later turn out to be links to zero-day exploits attribuable to state-sponsored attackers, so they warn the recipients of those emails. But it's got to be a relatively scattershot warning - Google doesn't really know how vigilant you are. A friend of mine working for an NGO got the Gmail warning back in 2012 and upgraded a few overdue things.
A lack of context is kind of the problem here. What we need are specific method details, including origination addresses. There may be times when only most of that info is helpful, but withholding is always the opposite of helpful.
Google's approach (and possibly Apple's) is commendable, but very poor UX-wise. Google specifically seems to include "phishing attempts" in their government-attack detection, and the direct reason seems to be that phishing was used in compromising the DNC in 2016. But there's a huge difference between a hacker-for-hire group that may have tenuous government links sending a mediocre phishing email (as in https://blog.google/threat-analysis-group/updates-about-gove...), and advanced zero-click zero-day use on all personal devices by a direct government body. Lumping them together makes zero sense.