The next release is branched off unstable (or master) a while before the actual release to have some time to fix packages that do not build. E.g. 20.03 was branched early February although it was not released until April:
So, a release starts with the versions of unstable at the time of the branch + updates made during the freeze to fix packages + security updates. After the release, updates on a release branch are primarily to fix security issues and/or fix higher-impact bugs/issues (typically things that bother people that put in the time to do a PR and do not have a large impact). When it comes to security issues, sometimes they are fixed by updating to a newer version of a package, sometimes a patch is applied to the existing version.
I don’t know why the GitHub CLI was bumped specifically. Either it addressed a security update, or it was a low-impact version bump that someone wanted or needed and did a PR for.