With GPL you don't have to actively work to upstream your patches, but in practice you can't withhold your patches from upstream. If you add a feature, they get to have it too.

Unlike permissively licensed software, where you can add proprietary features.

Depends how savvy your users are, and what your users lose if they do send your patches upstream. For example, GRSec or RedHat both drop you as a customer (so no security updates) if you republish their patches publicly. Or a paid iPhone app's users probably wouldn't know what source code is, let alone where/how/bother to republish it for the benefit of other users.

It seems pretty difficult to legally hide useful code from a GPL upstream.

But, if the argument is that the GPL is too permissive to achieve what the author wants, why on earth was the author using the MIT license?