It is known to build and run on some architectures.
Excellent point! I already mitigate this risk by building most of my (upstream) packages on macOS and Windows as well as GNU/Linux, but still.
And if you decide to vendor gnulib anyway, don't forget to register
yourself with the security tracker!
Excellent suggestion, thanks.