NeophyteLM probably shouldn’t require security review until you mark it as public. However, since the security review workflow really doesn’t work on anyone’s timelines, they should at least not required it unless it’s going public. That would allow you to move them back and forth between portals.
Alternatively, allowing the author to specify which portals the module is made available to would be an easy to begin monetizing the exchange. Said monetization would reveal all source code in the module though, so there’s no security around it.
Suffice it to say, right now, the main goal of the exchange is just to work. Said work only involves LM getting their modules and module updates out to their customers. Once that (multi-year old) problem is solved, perhaps they can work on actual community exchanges, paid or otherwise.