[3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) by encukou · Pull Request #104382 · python/cpython

implement a workaround themselves anyway.

The workaround is quite involved in this case, so one of the suggestions is:

if hasattr(tarfile, 'data_filter'):
    my_tarfile.extractall(filter='data')
else:
    # remove this when no longer needed
    warn_the_user('Extracting may be unsafe; consider updating Python')
    my_tarfile.extractall()

See the PEP's section on backporting: https://peps.python.org/pep-0706/#backporting-forward-compatibility

most users of Python 3.9 won't be building and installing 3.9.17 anyway

FWIW, in RHEL we'll probably need to backport regardless of your decision (and probably go with a more aggressive variant, to boot).
Having it upstream could make life easier for other redistributors.

And yes, if it goes in, 3.8 and 3.7 is next.
Again FWIW: Red Hat is likely to put it in 3.6 as well.