Yes you can use GitHub or your IDE or a CMS like Forestry or Netlify to update posts, pages and layouts. There are pros and cons to each. Sometimes if I am confident in the change especially around content rather than code, I’ll make the change directly in GitHub. Also particularly useful if you add an Edit with GitHub page on your site - I find this is useful to jump from GitHub.io site to editing on GitHub. Even if no one else uses the button (they’d have to fork the repo too).
Regarding vulnerabilities, what I have done recently is bumped to the latest Jekyll version on 3.X which also solves the Kramdown issue, without having to lockdown Kramdown in Gemfile or the lockfile.
And to keep up with future updates, I don’t pin at Jekyll 3.9.0 but rather let it float to any 3.X (but < 4.X)
gem 'jekyll', '~> 3'
You could also do this for 3.9 and above, setting a min version. This is more verbose.
gem 'jekyll', '>=3.9', '<4'
gem 'jekyll', '~> 3.9', '>= 3.9.0'
Or maybe just
~> 3.9 is sufficient - still new to this.
I also deleted the lockfiles - I’ll regenerate it eventually when I do a local install.
I did that on a bunch of my repos to resolve the vulnerability.