I’m aware you’re an experienced developer (calibre is wonderful, many thanks). Since this is a public forum I’m trying to answer questions in a way which can be read by other developers with potentially less experience of open source projects, my apologies for not putting in the time and effort to make that clear.
For security concerns GLFW has a very low attack surface and performs no IO. I think the most likely attack vectors which might affect GLFW would be malicious code distribution via a package manager or a maliciously installed shared library patch to the glfw .so, both of which would be avoided by static linking at the potential cost of any vulnerability in GLFW (which I’d rate as lower). However I understand your concern and wish to wait for the official release when available.
As mentioned above @elmindreda may be able to provide an estimate. For the benefit of readers unfamiliar with open source development they should read any such estimate as just that.