I think with any process that involves ‘could be public, could be private’ there’s going to be scope for user error every time someone creates a topic. Whether it’s picking the right category, or remembering to click ‘whisper’, or adding a tag that then does some CSS magic to hide it, and so on. There’s a point where you have to make that choice and an accompanying opportunity to mess it up. 
I think a subcategory is the way to go to be able to have confidence in the visibility protections. If you don’t want to toggle on sub-subcategories for this (or adjust your top level category structure with an alternative like Category Groups) you can have an extra subcategory in Support for #internal-bug-reports and then use the topic filter to create a custom topic list including topics from both categories, which you can then add to the sidebar for your devs to use.
Just for fun, I tested whether I could flip the post_type of an OP using the API. And while it did work, it still appeared in the topic list to a non-whisper test user and then errors out when they click into it. 
So it seems there would need to be some additional dev work to smooth that out (and there may also be other conflicts for the unexpected behaviour too when you start poking around)