Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.