Using arbitrary groups to find members to send email allows:
- the arbitrary group to also be privileged to the group as desired ( maybe as little as Read? AKA: They get email, but they have to work through an Access Management group to effect changes in the group.)
- allows a sub set of maintainers to be responsible to attest the group (vs all Updaters)
- prevents hard coded email addresses from being forgotten about when org changes happen
- the whole arbitrary group could be notified, but only some of the members may have privileges (via other group memberships) to do the attestation and some members may only get emails about the attestation need for monitoring reasons.