It would probably be best to say that only the latest version is security-supported (assuming that's true).
(In practice, if we found a vulnerability in xdg-dbus-proxy, I suspect we'd make a case-by-case decision on whether to backport the fix to the version of the proxy that is bundled with older-but-still-supported branches of Flatpak, or whether to just update those branches to the latest xdg-dbus-proxy - with the decision being based on how many unrelated changes that would bring in, and how much distro security/stable-release teams would be upset by those changes.)
It would probably be best to say that only the latest version is security-supported (assuming that's true).
(In practice, if we found a vulnerability in xdg-dbus-proxy, I suspect we'd make a case-by-case decision on whether to backport the fix to the version of the proxy that is bundled with older-but-still-supported branches of Flatpak, or whether to just update those branches to the latest xdg-dbus-proxy - with the decision being based on how many unrelated changes that would bring in, and how much distro security/stable-release teams would be upset by those changes.)