[forgotusername6]

I imagine looking for vulnerable areas of the code might be something people would be interested in doing. Maybe start with login or billing or something. You could also look at recent activity to spot new, unannounced projects. You could use blame to find who wrote what and target them for anything from job offers to social engineering attacks.

[ameliaquining]

Most of that information is readily available on the corporate intranet without having to dig through source code.

Security-by-obscurity isn't something to rely on (again, except in the case of things like abuse detection where there's no alternative).

[forgotusername6]

You aren't necessarily looking for things that would be defined as security by obscurity. You're looking for bugs with a security implication. With the source code, you can look for these bugs without arousing suspicion.

[saagarjha]

People can find vulnerabilities without the code too.