I would put it differently: when you already have a mental model of what the code is supposed to do and how, then reviewing is easy: just check that the code conforms to that model.
With an arbitrary PR from a colleague or security audit, you have to come up with mental model first, which is the hardest part.
With an arbitrary PR from a colleague or security audit, you have to come up with mental model first, which is the hardest part.