After merging the latest configs from this project into my own server configs, I discovered that my site was now unexpectedly failing all the tests on https://securityheaders.io. With some manual searching, I discovered that fd84b1f was the offending commit, and after some research I discovered a blog post explaining a pitfall with the add_header directive.

From the add_header documentation:

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

Because the add_header directives for cache control in expires.conf are nested a level deeper than those in extra-security.conf, the directives from the higher level are not inherited. The cache control header is added, but the security headers are not. Prior to fd84b1f, this issue only applied to images and other media which had an add_header directive for cache control, but now this issue applies to the other types defined in expires.conf.