Is that still unpatched on the Pixel 6? As far as I can find the CVE has been patched in the Android security bulletin from 2022-11-05, which the Pixels receive (that + the patches specified in the separate Pixel security bulletin).
I don't really understand why you would spend Pixel 4 XL money on a phone that will only receive three years of updates, but it's not like Google hid their support timeline from any of their customers.
It looks like the Pixel 4 didn't get the update. From what I can tell, the Pixel 4/4 XL received the security updates as promised by Google during its announcement: https://web.archive.org/web/20191015163036/https://support.g...
I don't really understand why you would spend Pixel 4 XL money on a phone that will only receive three years of updates, but it's not like Google hid their support timeline from any of their customers.