Hilariously, I found an answer shortly after re-opening this discussion and it involves basically tricking Dependabot. Reading through the Dependabot documentation, I said to myself "If only I could have multiple entries under updates, I could define the rules I want to." The problem, though, is that there can only be one entry per package ecosystem under updates. It turns out that that's not exactly true. Uniqueness is determined in a composite manner using package-ecosystem and directory. This allows for there to be different configurations for mono repos. In any event, my repo isn't a mono repo, but I was able to get the following to work using technically different, but functionally the same directory values:

version: 2
registries:
  mycompany:
    type: npm-registry
    url: 'https://npm.pkg.github.com'
updates:
  # security updates only
  - package-ecosystem: 'npm'
    directory: '.'
    schedule:
      interval: 'daily'
    open-pull-requests-limit: 0
  # @mycompany major and minor updates only
  - package-ecosystem: 'npm'
    directory: '/'
    registries:
      - 'mycompany'
    schedule:
      interval: 'daily'
    open-pull-requests-limit: 5
    allow:
      - dependency-name: '@mycompany/*'
    ignore:
      - dependency-name: '@mycompany/*'
        update-types: ['version-update:semver-patch']