This isn’t a vulnerability, it is a tightly controlled affordance in the Android system. I would suggesting revising this more to be more of a “be extra cautious when using” article. This is akin to calling the Accessibility framework a vulnerability, it’s just giving trusted apps elevated privileges (with very explicit warnings).
Other than that, this is a great writeup and I appreciate you taking the time to show the potential security concerns when using notifications. A healthy paranoia dictates that anything passed to the system shouldn’t contain sensitive data, even things like startActivity().