It's fine, you're not running a network-accessible part of the service on unpatched software. The only input this part of the software requires is trusted configuration data and a video feed which could hypothetically be malicious, but then the question becomes why you're running an adversarial camera on your network, and why you're allowing it to connect to the internet to fetch latest exploits and C&C instructions.

You can also transcode the video before feeding it to any outdated software and run it in a VM if you're paranoid.

Never underestimate the power of a specially crafted raccoon whose appearance can trigger a buffer overrun

Yes, it is, because then you aren’t stuck with a EOL distribution where you get even more security issues to deal with (vs. just EOL Python).

Also, what kind of “security exploits” would an outdated Python result in if the Python interpreter itself isn’t serving a network port or accepting arbitrary user input in general?

I assume Frigate itself isn’t running the web app on the same Python version - it’s likely just the Coral SDK that requires an outdated Python version.