This has been coordinated with akeeba and the porposed code is from never versions of fof thats only run on PHP7 but the backport to older php versions via the random_combat backport is still valid.

That's not how it reads to me otherwise I wouldnt have asked the question

Thats the text thats used within fof and that is running on php7 only. But via random_combat this function is backported to php 5.x too.

But via random_combat this function is backported to php 5.x too.

Thats the information that is missing

Joomla is using paragonie/random_compat since 2015. This provides a polyfill for random_bytes() and random_int() under PHP 5.3.

The comment is what I had written for my own code since FOF 3.6.0 and later has dropped PHP 5 support.

Also note that as of FOF 3.6.0 (released in June 2020) I was no longer using mt_rand() in the same code, I was using random_int(). The code marked by the JSST as vulnerable actually never was (it's RFC 4086 which is used to create crypto-safe randomness from more than one non-crypto-safe random sources) and it was never called anyway since TFA had always required either mcrypt or OpenSSL to work at all.

The Greek phrase "drilling a hole in the water" and the English phrase "making a mountain out of a molehill" come to mind with regards to this change, but I digress...

I was just confused reading that comment on its own and out of context