which allows working in public and private branches in the same repository.
That doesn't seem compatible with how Git works: if you have access to a repo, you can clone all its content (including the branches).
A Git Hosting service like BitBucket or GitLab allows you to protect a branch (meaning you cannot push back). But you would still be able to see its content.
Even Gitolite doesn't prevent read-access at a branch level.
So two separate repos are still the best approach, with the repo A (kernel) declared as a submodule of repo B.