@grove - yes, true - good point. They do seem to have interlocks that prevent version checking for people such as yourself. If you hand-craft the check (as above), you don’t need to give them a “real” referrer, but they’ll get your IP address of course, and could quite probably infer everything if they really want to.
I’m not sure I can immediately think of a way to check for upgrades without giving away the current version other than the original apt list --upgradeable method, but that won’t tell you if it’s ‘critical’ or not. I guess you could then cross-check with the RSS feed to see if the version is mentioned - although now I look in more detail, I see that 16.8.0 is not mentioned in the RSS feed, yet it was a release, and addressed a security problem (so this method isn’t likely to be fool proof). You’re probably in the realms of “use a security product” (as suggested above) to make this really robust - assuming budget allows.