I think you're just guessing here without an accurate mental model of what is being described.

> It sounds like this site is packing the two together,

1. No; as you said, no ROM hacking site distributes the original ROM. This one is no exception. They don't want to flagrantly violate copyright. (And in fact, modern patch formats — xDelta, UPS, BPS — are designed to avoid even minor "quotations" of the original copyrighted material, by using "copy offset:length" ops, or by storing partial/sparse patch segments as XOR deltas of the old and new files.)

> and the patchers are causing the flagging issues

2. No ROM hacking site distributes a patcher executable along with the patch. It'd be a huge waste of both bandwidth and storage space on their CDN. Besides the very reason coming up here (novel archives containing executables make anti-virus programs unhappy), there's also the fact that modern emulators, when loading a ROM, will auto-apply a patch in-memory if one is found in the same directory + with the same basename as the ROM. (Similar to how VLC auto-loads subtitle files if found beside a video file.) Creating an on-disk modified ROM using an explicit patcher utility is, for the most part, unnecessary today.

FYI, I downloaded the first ROMhack I saw from the referenced site (romhack.ing). It was a .zip file. Decompressing it, all it contained was a set of .ips files (variants of the patch) and a README.txt.

In short, there is no inherent, structural reason that a site hosting only archive files like this one, would trigger any anti-virus system.