Thumbor depends on the xcf2png utility from https://github.com/j-jorge/xcftools to convert XCF files to PNG files during thumbnailing. That library is largely unmaintained. It is based on a version of the spec from 2006, and received limited updates when it was forked in 2013 to make it compatible with GIMP 2.8. Updates since then have been maintenance only. The project also has two active unfixed vulnerabilities, CVE-2019-5086 (CVSS 7.5) and CVE-2019-5087 (CVSS 8.8).
ImageMagick is already used by thumbor, so dropping xcftools won't add a new dependency. ImageMagick's XCF support is also lacking, but it does at least partially support GIMP 2.10 files in ImageMagick 7.