The author probably doesn't care.

To be clear I don't think the author's point on updates is such a good idea and that's an example of why, but I understand they require a level of trust on the developer that many, many companies haven't earned.

Inform the user in a minimal way. Probably this means some kind of flag that can be clicked on in order to see a list of what was done and what problems that might address. If the fixes relate to unused features then they can be pended and there is no need to interrupt workflow.

Sometimes I ponder how we could split security updates, bug fixes and new features.

It's a fun puzzle but to hard for me.

Perhaps a 4th kind is needed (needed by the developers)

If the updates are split into small chunks some users could review it before installing. Read the div in the dialog.

Exactly ! Instead of writing good modular programs, pack "features" and security fixes in a nice bundle so users can choose to have their app enshittified or being vulnerable and I sure know which one of the two users don't care. It's a so popular strategy Microsoft uses, Windows even forces it only allowing you to delay it for some weeks.