Why? What's the danger here? Is the original maintainer going to send someone named Vinny to break your legs if you fork a project that won't accept a security patch you need?
I think you should just fork it privately, apply your patch, and move on with your life.
If you're keeping it private, none of this applies. I'm talking about "hey that project is bad, I am now maintaining a competing project, please use it instead."
Instead of framing it as "that project is objectively bad, my one is better", why not say "my project is a fork of this project but with a bit less unsafe" and then see what the community does?
Forking isn't provocative. Forking and then claiming your fork is objectively superior is.
I think you should just fork it privately, apply your patch, and move on with your life.