it'd be nice if github had better support for rewriting history as part of a PR review process, even something really basic like squashing groups of commits
It's stripped away by their squashing and rebasing options for merging pull requests.
Git's commit signing is very flawed regardless. The signatures are hard-wired into the objects instead of being notes so there can only be one and it can't be updated if a key rotation happens.
The signatures only sign the object they get embedded into and otherwise depend on a graph of SHA-1 hashes to provide security. It's pretty far from ideal. It'd ideally use Git notes for detached signatures and wouldn't hard-wire GPG as the only option, among other things.