Thanks for the useful resources. I also found Security Team | Nix & NixOS. Ok, there is a link to GitHub issues that have a security tag but what I miss are some security advisories for high profile issues. It doesn’t have to be elaborate, perhaps just a quick one-liner: unprivileged user can escalate privileges with this, here is a link to the pull request and here is how you can check whether you are affected.
Also for CVE-2021-4034 it took me a while to find
polkit: fix local privilege escalation in pkexec by mweinelt · Pull Request #156750 · NixOS/nixpkgs · GitHub and that you can security.polkit.enable = false; as a workaround.
I understand this “am I affected” question is a bit harder to answer than in other distributions, but I can imagine that you could have some tool first checking your NixOS configuration (i.e., whether polkit is enabled) and then it could verify whether your nixpkgs contains commit ids (a and b) or (c and d).