Ghen The Pixel 5 should be relative secure for a couple of years since serious vulnerabilities take around 2 to popup
I don't think that's how it works.
Recently there was a pretty bad remote code execution bug in cellular modem firmware. It affected Pixel 6 and 7 devices and many other devices. It did not happen two years after the 6 and 7 went out of support, or two years after they were released. I don't think it happened on any schedule.
Meanwhile, less-publicized bugs in firmware and drivers are fixed routinely. That stops cold for EOL devices.
Ghen If a highly serious vulnerability comes along, Google is likely to address it for any phone post 2020 still
My understanding is that they in general can't. Once their support contract with Qualcomm or Samsung for some hardware is over, those teams disband and people start forgetting what they once knew about the chips. If something big went kablooie one month after EOL, that would be one thing. But I am unaware of a pattern of a secret extra two years of kablooie protection.
Note that bugs in EOL devices are not generally announced and may not even be tracked (since they won't be fixed). I think the right way to read a bug silence after EOL is that people keep finding bugs but that most of them end up in the hands of attackers, who have a larger portfolio every month or two.