the shame around vibe-coded stuff is real but honestly - most of the code out there wouldn't survive scrutiny either, AI-generated or not. the difference is that vibe coding fails in predictable patterns. weirdly verbose error handling that doesn't actually handle the error, auth flows that work great until you send a malformed header, things like that.

for notifications specifically, the risky bits would be: what happens if an app sends a notification payload that's malformed or huge, how do you handle permission checks if the notification system process restarts mid-filtering, and whether the filtering rules can be bypassed by crafting notifications with weird mime types or encoded text.

if you wrote tests for those edge cases (or even just thought through them), you're already ahead of 90% of shipped code, vibe-coded or not. the scrutiny you're worried about is actually healthy - peer review catches stuff automated tools miss.