The trade-off is more than "limited" from my PoV. Knowing we are publishing an advisory in general means that if you want to look for vulnerabilities, you have to search in 1800+ plugins, i.e. there is no advantage to know it. With the information we provide, meaning the popularity of the plugin, we still limit the scope to 100s of plugins.
If a branch is locked, that could provide information to some actors to look deeply in that plugin in particular. With such scope, the search is a lot simpler.
The locking being visible makes the "any reason" not really an argument from my PoV. Usually you apply branch protection but you do not lock your main/master branch completely. By watching the repositories, anyone is able to see changes and thus can act on them.
Also, the branch locking alone, will not provide a big defense against incident, if we let the maintainers with their admin permission, as they can just imagine it was an error from another maintainer and just decide to unlock the branch.
>
you weren't involved in the actual security fix
That's the idea with the advisories, to inform co-maintainer, even if they have not opened any SECURITY ticket. That information is available on the repository as well. The only caveat is the current GitHub UI does not display advisories in the tab, you have to use the proposed extension or any other mechanism for that.
I would like to get more opinions on the topic before investing time on it as the current version seems to be satifsactory for the beta testers.