Hi Lisa,
During Extended Support, security updates are not restricted to a particular CVSS score or severity tier; eligible security fixes continue to be released. The severity-based limitation applies to ESU programs after support ends, not to the standard Extended Support phase.
You can refer to this article from Microsoft: https://support.microsoft.com/en-us/topic/windows-10-extended-security-updates-esu-program-45638ee7-85cc-405c-8f72-03886ed0ff33