The SecurityCheck-XSS had to be suppressed in addNoticeForm() and outputNoticeDetail() to get change https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CentralNotice/+/518449 to pass build. The reason seems to be in geoMultiSelectorTree (CentralNotice:1552), but I couldn't figure out why. It would be good for there to be more investigation by someone who understands this bettter. We are going to +2 the patch for now.
The original issue was found too long ago (June 2019) for us to be able to understand what happened. The codebase has surely changed a lot since then, and so did taint-check. Also, taint-check <3.0.0 didn't warn about unused suppressions, which means we can't tell when the issue was fixed exactly.
The only way to do that would be to checkout PS4 of r518449 and run taint-check 1.5 on it, but I think it would be a waste of time. Taint-check has improved a lot since then, and the issue might have been a false positive. In fact, I've just tried running taint-check 3.0.2 on CentralNotice master (without the @suppress annotation) and didn't get any XSS reported, so it was likely a false positive. I've also checked the line 410 as reported above, and there seems to be no taintedness involved.
You can well say that it's often black magic :-D