That is also absolutely unchanged compared to "since forever". Canonical supports "main", while "universe" and "multiverse" offer best-effort community support (aka from debian). They now additionally offer a dedicated team for those repos.
Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?
Not even "from debian". Sometimes they can't be bothered to copy debian packages that fix security issues if the package is in universe, and just leave it vulnerable for the entire duration of the LTS.
It's not the case for this example of ffmpeg (it's actually not patched), but make sure to check the actual changelog. Sometimes the version is kept, but the patches are backported, so a plain version comparison is not enough.
Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?