When using Vue as a standalone SPA, there will certainly not be any major "bugs" discovered after the December 2023 EOL.
I'm using Vue as a standalone frontend SPA with an Express REST API backend, almost all the "risk" is in the backend, so I figured if I have my frontend configured correctly ( Using environment variables etc.), should Vue 2.7 still be available for production in 2030? Whether it should be used until 2030 is another question.
I have business, legal and personal reasons not to upgrade to Vue 3.x. Most people upgrade because the ecosystem follows Vue 3, I only rely on Vue-CLI, and my Vue 2 codebase is too large to refactor without security motivation.
This is a difficult question because most software cannot be used as a standalone front-end, so there isn't much evidence from what I've gathered on the internet about such security vulnerabilities in frameworks, post-EOL.
I would not bet such a bet on a JS framework, you never know what will happen. Especially since if Vue uses some kind of dependency (like lodash or something) and it has some vulnerability, I guess you won't be able to upgrade.
So, yes, betting on JS is probably not a good idea for long-term applications. But at the same time, like you said: client-side JS frameworks are nothing that important.
It all depends on how you use it with the packages around Vue.
It would be safer to use some backend to render the view (and then add some plain JS on top of it to replicate the SPA's behavior). Otherwise, it's definitely safer to stay away from JS everything and more on the server side.
TLDR: JS needs maintenance.