And if Red Hat does get nasty, anyhow?

Probably not likely to happen soon, if at all.  Right now, efforts like WhiteBox Linux and BudgixOS are under the radar.  I believe that by the time Red Hat were make a move changing a long held policy, there will be enough uptake of BudgixOS type efforts to fund personnel to handle our own security errata.