Python 2 and 3 are using a bundled Expat (residing under Modules/). This has been the cause of security vulnerabilities in the past and should be changed to use Expat from Guix.