Smartphone as peripheral

Yes they can.

It's not common because originally Android was not supporting Peripheral role and still today it's up to handset manufacturer and for some (typically older Android 5) devices it's not supported.

Second reason is power consumption: BLE was originally (and probably still is) used by deeply embedded "peripheral" devices like sensors (smart watch and other wearables, home appliances) and these are supposed to have long-lasting batteries while mobile phones and tablets are anyway expected to be charged every +-24 hours so bigger power consumption with BLE GAP Central role won't be a big problem.

Thanks. Are there any security or privacy factors to be considered for choosing one way or the other?

Yes, there might be consequences if you care about privacy, which is general problem in BT. Broadcasting side (GAP Peripheral) is more vulnerable to tracking and that is even it uses rotating random/pseudo-random MAC (because rotation is after few hours so if you really want you might still catch the change based on signal strength and advertising interval). However more and more mobile devices implement this feature and for all standard applications it should be enough (= users should not be target of bot networks which just log MAC addresses and adv. packets because they won't be able to link MAC address before the rotation and after). And even if you are GAP Central device and any application invoke active listening+scanning then your low layer BT stack starts sending SCAN_REQ packets to scannable ADV broadcasters and even this is not directly observable it indeed can be seen and it... (1/2)

...(2/2) contains MAC address as well.

TL;DR if you care about privacy you should run some feasibility, otherwise it is better to be Observer/Central but even if you broadcast modern devices should hide your real MAC against untargeted tracking attacks