You missed

* There's an app in the Universe repository, which consists of software that is not formally supported by Canonical at all, which has security updates that are actually available from Canonical if you're an Ubuntu Pro subscriber.

I thought it is formally supported by Canonical, just not without Pro. They said it used to be best effort but with Pro it has an SLA right?

So do Canonical get there hands dirty at all and fix any code, or is this straight-up gatekeeping?

This is Canonical getting their hands dirty and applying their own patches faster than the package maintainers. If the package maintainer release a patch then that is applied like normal, no Ubuntu Pro required.

Does this mean you do get support for these packages if you pay? Or are they still best effort?

They actively patch them, which is something even RHEL doesn't do(Rpmfusion not supported at all)

I saw where one person had this experience:

* It's barely an issue: I registered with Ubuntu online and got a free lifetime license for 5 machines, so it's no biggie.

I tried the same and got a minimum quote of $25 a year I think?

Has anyone figured out where this free option might be?

Once again: If they weren't offering this, it wouldn't be patched at all.

If they didn't have this, the security would be lower for everyone.

They have not taken anything away from anyone here, they have only provided extra services to people who pay.

They communicate this poorly, obviously. And it needs to be made clear that they are not withholding community patches, only contributing for a price priority patches to previously community-only packages.

If it wasn't bad enough that users are being used as guinea pigs with their staged apt updates model... this really takes the cake.