RPM (YUM? DNF? RHEL?) lets me subscribe to security updates separately from updates. Does that concept exist in language distribution?

I don't know how it would. Hackers would just claim everything is a security update.

Unless maybe you give special permission to some trusted company to designate certain releases of packages they don't own are security patches... But that sounds untenable.

It would have to be handled by the repository owner(e.g. PyPI) similar to how quarantines are done.