Tor Project recommends using their repository for Debian/Ubuntu users. (Asked in IRC)
Debian package maintainer did not respond. (Asked via email)
Installing from backports is a thing.
The tor package being obsolete seems to affect mainly relays, as it’s barely mentioned on the web in other contexts. Hopefully it’s not unsecure for use as a client.
To reiterate: It is up to date in Debian, but directory authorities report the version as obsolete (should no longer be used). All packages must stay up-to-date for security purposes - is my cause for concern.