Is this actually necessary? Upstream doesn't seem to consider this a security issue but nevertheless backported the changes to mitigate it to 5.3.4 - https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/

@pbogdan I'm not in the position to make such decisions the problem is just that Wordpress officially says that other versions are not supported. I understand that all the CVEs in the issues have explicitly mentioned that the vulnerability is also fixed in 5.3.4. They also say "There are no fixed period of support nor Long Term Support (LTS) version such as Ubuntu's. None of these are safe to use, except the latest series, which is actively maintained. ". So I personally would like to update but I don't want to make that decision myself.

Edit: I think all currently known CVEs are fixed in 5.3.4 so this is not urgent. So this is more of a discussion for now.

Admittedly I've been out of the loop for a while but historically upstream has been very good about backporting any security fixes. OTOH upgrading between non-patch upgrades can be problematic so unless there's a pressing need I would personally hold off on a jump from 5.3.x to 5.5.x on a stable release branch.
Let's see if we can get any feedback from other maintainers.

@pbogdan I agree with you that upstream seems to be backporting quite well. I will close this for now also considering that 20.03 is expected to get obsolete (hopefully soon). If a maintainer objects they can reopen of course.

Edit: I just don't like their policy: No guarantee for any older version but basically it's safe to use in practice.