prepare works a bit differently than escape in that it works on whole strings and manages quoting as well.
$pat = "UPDATE {$wpdb->posts} SET %s = %s WHERE ID = %d";
$qry = $wpdb->prepare(
$pat,
$key,
$visibility,
$post_id
);
$wpdb->query($qry);
You do not need to swap in the table name at all, and with prepare you can’t swap it in because the table name will be quoted and the SQL will break.