Wow. I have never heard of this and not considered it before, but you are right. If you had pushed a fix for the nightly build prior to a fix being available on the main branch, it would have amounted to a disclosure about the stable version to any watching would-be attackers. At least for critical vulnerabilities like these, holding off for a coordinated disclosure like this which raises user notice as much as possible while not tipping your hand does seem like a very smart policy. I follow security stuff pretty regularly (I'm not a user of iTerm2 and read this article and these comments to find out what the exploit would be and what bug led to it, for instance.) but I have never come across a developer doing this intentionally. Is it a well-known security posture thing that I have just missed?
In any case, thanks for your contributions with a tool that is obviously so useful to so many. I almost never use macOS, but I do own a 2015 MBP from some development I needed it for in the past. Next time I boot it up, you can be sure I will be installing iTerm2. (I might actually have it and just not remember, but I don't think so, I never invested too much into the platform.)
(Thanks for your work, amazing application)
Edit: Looking at the parent of that commit, I'd say no.