"Previously, we obtained the source code for Rocky Linux exclusively from the CentOS Git repository as they recommended. However, this repository no longer hosts all of the versions corresponding to RHEL. Consequently, we now have to gather the source code from multiple sources, including CentOS Stream, pristine upstream packages, and RHEL SRPMs."
Why would you need RHEL SRPMS if the upstream packages contained all the patches and why refer to them as "pristine upstream packages" in the first place?
I believe that currently RH send a patch to the upstream project, then apply/backport it to CentOS Stream, then if they consider it appropriate apply/backport that to RHEL, and it's the first step there being their first step that's the 'upstream first' part.
The additional hassle Rocky are having is that since Stream is ahead of RHEL divining whether the third step was taken and if so with what, if any, backporting tweaks required, is rather trickier so to recreate the end result of all such third steps to get an identical (bar debranding) set of SRPMs to the ones used by RHEL your best approach has become to source the various bits of information you need to do that from multiple places.
Also I -suspect- the 'pristine upstream packages' thing is referring to the fact that most package formats, rpm definitely included, prefer to have an untouched copy of the upstream sources plus a stack of patches in their source packages and combine them during package build for both clarity and debuggability reasons.
They are going upstream because of a zero day patch that RedHat have, and is also upstreamed.
Hence why they are going upstream, to get the upstreamed patch that CentOS has not merged yet. So your entire argument appears to be that RedHat are doing upstream first.