From MS reporting a vulnerability it is right to limit the scope to only systems that would be configured this way as a default configuration. There might be some edge case they want to cover with the addition of Server 2019.
I might assert, from a system hardening point of view instead of a vulnerability point of view, that any Windows system that has the relaxed permissions on these folders is at risk and should be tightened up.