I understand that mercurial API’s need to evolve but this create too much work too follow the changes for a small extension like hgnested. Especially if standard alternative exists now that provides even more features.
I know but I think it applies to our use case. hgnested is probably also a last resort extension.
As far as I can see it was about using Git sub-repository. Indeed if Mercurial had no security issues, it will be suspicious. But having some, means that people are auditing it and so there are less issues. 
Indeed we do not know if hgnested does not have security issues.
Have you another proposal?