As we expected, it's listed in the Pixel Update Bulletin despite being an Android Open Source Project vulnerability and patch:
https://source.android.com/docs/security/bulletin/pixel/2024-05-01
Android Security Bulletins only cover the subset of High/Critical severity patches backported to the baseline yearly releases.
(this has been pushed in the latest GrapheneOS update)