[StillBored]

Yah, I've had this discussion numerous times. Especially with regard to hiring people from a competitor. Often you wonder how much information is traveling via unintentional side channels (not just employees that are also on the payroll of a 3 letter agency).

OTOH, there does seem to be a fair amount of competence where it matters though. In the couple companies I worked for the private keys used for signing things were very quietly kept hidden from the vast majority of the engineering teams/etc. AKA, it was possible to create an development/test builds all day long, but creating valid license keys/firmware updates/etc for the builds given to customers was limited to a formal process which contained the keys. The private keys were only available to a couple people tasked with maintaining the automation from which the builds/keys/etc came from. Those people rarely had a need to move/etc them either, and such activities were done in the open.