For vendor patches, you really can't trust that value in any way... I'm afraid there is no real way to check, except for trying the attack.

Qualcomm patches are not distributed as part of AOSP security patches, and is not tested for Google certification, so there is really no reason for it to be accurate, except possibly for Pixels.

I remember reading that phone manufacturers sometimes update the patch version but don't pull all the patches presumably because it's too much effort to integrate into their forked codebases.