My plan if I was able to work enough on Koha as I initially planed was to continue to backport normal patches to the public branch and on release day, rebase the security branch on it.
And do the release process on the security branch that had all the commits.
That matched how I understood the «RMaints will have security bugs pushed to their security repos (Regular repos will have everything BUT the security bugs)»
I'm not sure what everyone had I mind about this phrase but it look very diverse ^^

«it does no ci, has no benefit, except for rolling a security release, without disturbing the workflow on the normal branch you just push the security patches as you are about to release»
+1 
Thanks, it's simple to understand in the case of a dedicated out of yc security release.