[hardwaresofton]

Yup that's precisely my point -- if this is the case then where is the protection from aaS that everyone seems to think is there? All the provider has to do is just... not modify the software, or only make modifications that don't expose their proprietary orchestration systems and benefit everyone else in the process (but they really benefit the most, because they're making money off of the software).

If you get more nefarious with it, what if they started building tooling around it -- like a proxy that rewrote requests to fix a bug, or a file system that sat underneath the program that solved some issue with IO?

I also think that the majority of value delivered by something like RDS is not actually proprietary changes, it's just the underlying software being kinda good (because it was developed in the open, and the F/OSS community was leveraged as bug finders and fixers) -- I'm thinking mostly of Postgres. Even things like HA and scalability are often considered in projects these days, so you wouldn't even need to add much to check off the usual enterprise-y boxes.