What enterprise certs are meant for and what they are used for in practice are very different things. Apple themselves bought out the Testflight service and integrated it into their toolchain and it was built on using enterprise certs to distribute to external users.
It has always been used as a release valve for the standard restrictions of the app store process.
> Apple themselves bought out the Testflight service and integrated it into their toolchain and it was built on using enterprise certs to distribute to external users.
This isn't true; when you logged in with TestFlight, they pushed a configuration profile to you that would collect your UDID. The developer would then register those UDIDs with Apple and sign the app with an ad hoc provisioning profile / normal developer certificate, as Apple intends.
You could also distribute enterprise apps through TestFlight, but they did nothing specifically to help you do that, they were just a hosting service in that respect. They certainly didn't abuse enterprise certificates themselves, although somebody using their service could, just as they could use any hosting service to distribute the apps OTA.
We're talking about the old TestFlight service from before Apple acquired them.
It's the new TestFlight service that distinguishes between internal and external testers. There's very little similarity between the old and the new TestFlight beyond their general mission statements. They don't work in the same way at all and the new TestFlight was built from the ground up.
It has always been used as a release valve for the standard restrictions of the app store process.