Well, if you had the search ranking algorithms or the bot-detection algorithms or anything inherently adversarial like that, then you could do all kinds of nefarious things. But that stuff's locked down more tightly. Likewise with a few ultra-hard-tech things where the implementation's a major competitive edge.

I imagine looking for vulnerable areas of the code might be something people would be interested in doing. Maybe start with login or billing or something. You could also look at recent activity to spot new, unannounced projects. You could use blame to find who wrote what and target them for anything from job offers to social engineering attacks.

Most of that information is readily available on the corporate intranet without having to dig through source code.

Security-by-obscurity isn't something to rely on (again, except in the case of things like abuse detection where there's no alternative).

You aren't necessarily looking for things that would be defined as security by obscurity. You're looking for bugs with a security implication. With the source code, you can look for these bugs without arousing suspicion.

People can find vulnerabilities without the code too.

id make an art piece where each line of source code was printed 1mm high on the walls of a room. . . . .. . and then..... it would show the program counter "live" on the wall as code was executed. like it would shine a light on the line of code, like a realtime debugger.