> If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.

Your private fork doesn't meet the conditions described.

Not just allowed to do, encouraged to do as part of legitimate development.