amazon web services – Will critical security updates get applied even with “auto minor version upgrade” disabled?

RDS offers an “auto minor version upgrade” setting, described in the docs, which causes AWS to automatically upgrade your database engine from time to time:

If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.

When Amazon RDS designates a minor engine version as the preferred minor engine version, each database (with this setting turned on) is upgraded to the minor engine version automatically

However, some other AWS docs also describe something called “required software patching”, framed as distinct from other automatic engine upgrades:

Maintenance events that require Amazon RDS to take your DB instance offline are (bla bla bla), database engine version upgrades, and required software patching. Required software patching is automatically scheduled only for patches that are security and durability related.

(bolding mine)

I’m not sure how to interpret these two passages, taken together. One possibility is that if I turn off the “auto minor version upgrade” setting, no engine updates whatsoever will be applied automatically. Another possibility is that some engine updates – such as important security fixes – are “required” and thus will be applied even if I have the setting turned off, and that turning it on simply means that I’ll get some other engine updates applied too, even though they don’t involve important security fixes.

Understanding which interpretation is the correct one seems important when evaluating the security implications of turning “auto minor version upgrade” off. Which interpretation is true?