I checked pcs 0.10.1-2 in buster and it turns out it is not vulnerable to CVE-2022-2735. Separate ruby daemon with a world writable UNIX socket was introduced later in 0.10.5:
https://salsa.debian.org/ha-team/pcs/-/commits/master/pcsd/pcsd-ruby.service.in Before that version python code runs ruby commands and they communicate by sending json responses on stdin/stdout. https://salsa.debian.org/ha-team/pcs/-/blob/38330deb0d849d6a1945856b24323043f6a7839b/pcs/daemon/ruby_pcsd.py -- Valentin