I've been noticing these unexpected notifications from Avast Mobile Security (Pro) too for a while now on my Alcatel 3V phone, and finally decided to look into it, which brought me to this thread.
I've seen this happen pretty much every day with different apps involved, but I specifically noticed the Avast notification an hour ago about FX Explorer being safe as if it had just updated because (a) I have auto-updates turned off, and always watch out for available updates and trigger them manually, which I had not done for FX Explorer, and (b) I have been specifically hoping for an update for FX Explorer as I reported a bug in it to them awhile ago and have been hoping for a fix.
I can confirm that no update took place. There has been no update in that app since one last year, and the version number in the app on my phone still matches the one in the Play Store entry.
However, I notice from the system notification log that the unexpected 'checked an update and it's safe' notification from Avast Mobile Security for a non-updated app today, and another one for another app yesterday, both came moments after a notification (not displayed in the notification bar) from the download manager about the download of a 'Play security information update'. And I also see that Play Protect also scanned FX Explore today and the other app yesterday.
The notification log doesn't go back further to see if the pattern holds up (though I will look from now on), but it looks as if something in the Play Protect update caused Play Protect to scan those apps at that time rather than just in its regular app scans, and that triggered Avast Mobile Security to scan them too.
If that is the case, the question then becomes: is it actually intended, programmed behaviour that Avast Mobile Security should scan a non-updated app outside its configured regular scan time if Play Protect scans them as the result of one of its own security updates?
If it is, then I would suggest that (a) it should be documented, not left as what at first sight appear to be a worrying bug, and (b) it has its own notification message so it does not appear to be an after-update scan when it wasn't after an update.
Ans if it isn't, and is a bug, then it should be fixed.