Right at the very least the key in the top level object should not be an unexpected name we did not request, as that looks very wrong. If the packageName is still set to the one in the advisory i.e. drupal/paragraphs that sounds kinda reasonable to me as it says you wanted advisories for X and here is one but it references another package so be it.
I see, yes that seems like a bit of a mess, but I can see how it makes sense.
However, it should be returned with the key set to drupal/paragraphs-paragraphs_library and packageName probably set the same as well in the object.
@drumm this triggered another error for us - traced it back to https://packages.drupal.org/8/security-advisories?packages[]=drupal/para... which returns drupal/paragraphs - so it looks like the problem still exists or at least some of it.
I don't expect any other problems, but to be honest I would not have expected the last one either so I guess try it and see :)
BTW I had a closer look at https://github.com/composer/composer/issues/11767 thanks to what you wrote above and I tweaked the code now so that Composer would just warn about an invalid API instead of crashing.
That said, yes indeed @drumm the problem is that you returned package names which were not expected in https://packages.drupal.org/8/security-advisories?packages[]=drupal/font... - We use the keys in the advisories object to map the advisories to a package, so returning others messes stuff up and overall looks dodgy to me.
It would be nice if you could fix and re-publish the API IMO, so I took a closer look and the way I see it drupal/fontawesome_iconpicker_widget itself has no vuln so it should not return anything. As that package requires drupal/fontawesome, Composer will install that and will request it from the API via https://packages.drupal.org/8/security-advisories?packages[]=drupal/font... if it is interested in that package's advisories, but the repo shouldn't try to resolve dependencies and return advisories for dependents of the project we ask for.
Does that make sense? Or is there another reason you returned that package?