Using VEX could be a good way to avoid some false positive during vulnerabilities check.
But if it is used direct/transitive dependencies should be managed correctly which is generally not really done.
So maybe using maven tooling like : depcheck-maven-plugin should be used in addition.

For me details see :

• https://www.aquasec.com/blog/introducing-vex-hub-unified-repository-for-vex-statements/
• https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/file/#applying-vex-to-dependency-trees
• Some question about VEX for library aquasecurity/trivy#7784

(Not 100% sure this is a good move but I open this issue to keep in mind the idea)