Also, smuggling a single binary out of a set of systems is likely far easier than targetting a source code repository or devbox directly.