ungoogled-chromium receives frequent security updates, so it is
important for users to keep it up-to-date. However, binary substitutes
for the latest version are usually not available, and it can take a
very long time to build from source, possibly multiple days on low-end
hardware. This might tempt or force some users to put off upgrading
the package and run an older, vulnerable version until a binary
substitute is available or they have a chance to set aside the uptime
needed to build from source.
I don't know what Guix's CI system looks like or how packages are
queued for building, but if there is a way to prioritize builds for
certain packages, I propose that substitutes for packages like
ungoogled-chromium should be built as soon as possible once there is a
new version. Other security-critical packages with potentially long
build times that come to mind are icecat and linux-libre.