If anybody is interested I ran Mastodon’s source code through Mythos extensively before I lost access (turns out tooting about having access = bad idea), it came back entirely clean.
There was one hardening suggestion around data storage that I’ll report one day.