I’d suggest to mark it as insecure for the reasons above, at least until there’s a somewhat canonical place to obtain patches from.
Probably some of the packages referring to p7zip can fall back to use other decompression tools - I’d expect people to step up and fix things if they care about it - this is similar to how we did with unsupported SSL versions.