We have the backports repository configured on our servers, however it's pinned to a priority of 100 to not install newer versions by default.
We also have kernel packages (linux-image.*) blacklisted for unattended-upgrades.
apt would not (checked by apt policy) install the newer version from backports, but unattended-upgrades sends an email each day with the information that a package (linux-image-amd64) is on hold.

Looking at the code, this behavior happens, because unattended-upgrades assigns each blacklisted package a priority of -32768 (NEVER_PIN) which overrides all other apt pinning and also sets the priority of each and every version of this package to the same number, regardless of its former priority.
Therefore, kept_package_excuse() will always find a better version in such cases, regardless of pinning, as it compares the modified (NEVER_PIN) priorities.

I have two proposals:
1) take the original priorities in account for finding newer versions, but this will probably be quite a big rework
2) do not report blacklisted packages as kept / on hold, as there is currently no way to discern whether the newer version is a candidate for installation

Here is a patch for option 2:
--- /usr/bin/unattended-upgrade 2021-02-19 13:11:42.000000000 +0100
+++ unattended-upgrade  2022-06-03 14:22:53.972635631 +0200
@@ -208,6 +208,8 @@
                            "dry-run mode."))
             return kept_packages
         for pkg in self:
+            if pkg.is_installed and pkg.installed.policy_priority == NEVER_PIN:
+                continue
             better_version = self.find_better_version(pkg)
             if better_version:
                 logging.info(self.kept_package_excuse(pkg._pkg,


Cheers
Volker