The cryptographic integrity of the payload is governed by the payload digest, which in turn is signed when signing the header. The payload digest in v4 packages is hardcoded to SHA2-256 so just to be on the PQ safe side, we should backport SHA3 payload digest to RHEL.
In upstream, the SHA3 payload digest is limited to v6 packages because the v4 format is considered frozen now. Thus this would be a RHEL specific backport. Also in upstream PR the v4 payloaddigest tag is renamed to PAYLOADSHA256 with no backwards compatibility API aliases but for RHEL we either need to leave the tag name alone (at the cost of some backporting pains) or add aliases for the old tag name (at the presumably low risk of breaking somebody's script expecting a certain output).