gnome web version 40 came out in 2021 see NEWS · master · GNOME / Epiphany · GitLab.
The reason why they are still shipping an old and vulnerable version of gnome web is because they are using their own fork see https://source.puri.sm/Librem5/debs/epiphany, which they also didn’t update in a long period. the last change they have made there was to disable navigation gestures.
unfortunately if they shipped what debian is shipping, then you will get version 3.38.2 if you are using Byzantium because Byzantium is based on debian bullseye and debian ships version 3.38.2 to their debian bullseye users. though based on Information on source package epiphany-browser it seems they have fixes for almost all of the recently(last three years) disclosed software vulnerabilities compared to what purism is shipping.
Also you can read Please be aware if you are using epiphany browser - #20 by Moon3 about the different software vulnerabilities that affect the version they are shipping.