Source code doesn't help that much, and sometimes the assembly makes some bugs more obvious. They really don't need the source. They just decompile it.

People without reverse engineering experience often think there's a massive difference between white-box and black-box auditing, but there really isn't. Yes, it takes longer, but not ridiculously so.

NSO aren't interested in being an overtly criminal operation; breaking into Apple and stealing source would be a giant liability they don't need to have. Their game is feigning ignorance as to what their customers do with their software. They can't afford to be caught commiting crimes directly.

Nah that’s what tools like IDAPro and Ghidra are for. You don’t need source although it does help.

That said, the particular component this targets is open source. It’s the JBIG2 decoder that is part of XPDF.

I mean, it would just be a prudent business move once the first PoC comes out right? You know that Apple is going to patch it eventually. It totally makes sense to try to pop a dev box and exfiltrate the source code. The only question is if they can make it past Apple's network security - it's unlikely that devs are allowed to take their work MacBooks with iOS source code home.