Hello,
reading through the guide at the talk page, I'm worried about having more and more security issues/patches that do not receive enough attention.
With the current Phabricator-based process, everyone with access to security issues can see pending patches and offer their help as-needed. If we move to the GitLab-based process, we'd be in a weird situation where I (a developer authorized to access security tasks) would be able to know the vulnerability (including any PoC submitted by the reporter), but I wouldn't be able to see if there is any patch pending, and if there is, help to review it. To me, that makes no sense – the fix doesn't provide any information that I wouldn't already have from the task itself. I often volunteer to help with various security tasks (and I've helped to review and/or deploy many of them), and I think this new process would make it significantly harder for me to continue doing so. Of course, the new process might say between-the-lines "people outside the SecTeam should not help with security tickets/patches", but I don't think that's a good move either.
Looking at the new process from not-so-active security patch authors (I also saw few of them), it will likely be tricky to guess who "might assist with code review". With regular patches, it doesn't matter very much – the patch is public, and others might easily add more reviewers to facilitate a fast review. With the security patches, that's not the case for obvious reasons (even if we only consider people who we trust to see the actual reports).
CC @SBassett (WMF), who I often interact with when helping in this area.