At least for Wikimedia, the common workflow for security patches is to upload them to Phorge as files - uploading a patch in a git repository in a private way is not always possible or easy, and Phorge already contains details of the security issue, so it's logical to use it for code review.

It would be convenient if the people who have the right to download a patch file from Phorge would also be able to view it as a diff, like one can view the content of image files.