It has been 198 days since the last alg=none JWT vulnerability.
Conecte SUS, the official app of the Brazilian Ministry of Health, does not validate JWT signatures when validating vaccine certificates offline. It doesn't accept alg=none, but it might as well.