The most recent PHP version in stretch is, as of now, 7.0.33-0+deb9u1.
As far as I can tell, this is (roughly) the same as upstream 7.0.33 and
not a relabeled later upstream version and it does not contain
significant backports from later upstream versions.
Do I need to assume that PHP 7.0 in Debian is now only
security-supported by Debian alone? Is any DD close enough to upstream
to be able to at least backport new fixes from 7.1 and later if
I found https://deb.sury.org/ which appears to be run by a DD. But I
noticed that this version of PHP pulls in a different version of openssl
which rang some alarm bells with me. I would very much prefer something
more official, e.g. backpors.debian.org.
So, what do you do with your stretch servers running PHP now? Pray for
good support in Debian, upgrade to 3rd party packages? Upgrade to buster
 FWIW, the PGP key used for the repository (AC0E47584A7A714D) is
signed by Ondřej Surý (0C99B70EF4FCBB07) which, in turn, is
signed by 184 keys fro debian-keyring. The WoT probably does not get
better than that.