It sounds like you’re asking for dependency solving. This is an available option when you publish your content view, but it is not generally recommended since it slows down publish time significantly and causes various headaches.
This is not possible. If the environment supports dnf update –-security it inherently means that the environment is not “frozen.”
One other option to look into is incremental updates - if an erratum is applicable to a host but not installable because the content view is missing some needed packages, you can publish a minor content view version with only that erratum.