You might try with Gerrit, please have a look there: Andorid Code Review
Everyone is allowed to cherry-pick particular changes and apply them as a patches. Changes are stored in a non-standard Git reference directory (refs/changes) and with Gerrit's access right module you can easily control access to it.
So, in short, with Gerrit you might define 3 user groups:
- people having full access to the IP secured repository
- people having access only to the changes (so they are allowed to cherry-pick)
- people having access to both (if needed)