I’ve always felt this argument breaks down with smaller scale targets. I’d argue security through obscurity is not security, but there can be safety in obscurity.

There are a massive number of systems that are completely bespoke for small organizations or even individuals, and their user base isn’t going to grow.

What’s more, these systems are extremely liable to rot- the contract developer writes the system and moves on. That means library versions in the repo aren’t going to get updated when new vulnerabilities are found. So now this random 1 GitHub Star system is siting unpatched out for anyone to see.

Now what might have been a hard to find but exploitable issue risks getting a black hat spotlight shown in it.