[kdbg]

You're not wrong at all. Having access to code is far more efficient. My favorite type of assessment to get is when I get a test env and code access. It is uncommon though, a lot of companies are protective of their source code and don't want to hand it out to machines they don't totally control. In most cases when I get code access I either get a laptop from the client or a VPN and rdp onto a machine they control.

As for charging, I've never been paid based on findings, but based on time. If they fix while I'm testing that is great work by their team, but I'd prefer a stable test env so it's a bit annoying.

Libraries can be an interesting area, I focus my testing on code the client controls and only note known vulns in libraries they use. I have found issues in libraries before and we report it to the client, and work with them to disclose to the vendor if they want.