Vulnerability: sql error/injection on page lookup

I was resolving an issue that made my Pages and Products disappear form the list on the relevant admin pages.

One thing that I have noticed early in the mitigation process is that if I turn off i-excel, the page results come back.

After upgrading, downgrading and doing many things, the conclusion was, that: in the database on the wp_options table / wp_custom_filters datapoint contained “YTowOnt9”, that equals “a:0:{}” in base64.
The function that checks this value, feeds results int a “NOT IN (results)” query parameter, that should never be empty (), because that runs SQL on error.

The function that calls the datapoint tries to protect against such a situation, but fails to do so, because it does not look “inside” the base64 text and simply allows trough an empty array response without returning the “null” replacement.

function customFiltersSettings() {
  $settings = get_option('wp_custom_filters');
  if (!$settings) {
      return null;
  }

  return unserialize(base64_decode($settings));
}

I have seen this exact code in the twentytwenty theme as well,
but for some reason I did not get an error when swapping back to that theme, so I assume they have implemented some sort of protection, that i-excel did not?