The question is not "do we _suppose_ that it's _likely_ that they _would_ do something similar?", but rather "is it _possible_ that they _can_ do something similar?"
If you're using a proprietary engine made by a for-profit company, the answer to that second question is always "yes", and the answer to that first question is always subject to change.
If you're using an open-source engine, the answer to the second question is "no" (because in the worst-case you can fork it to buy yourself time), and the answer to the first question is totally moot, because the first question is no longer a thing.
It's about risk management: optimism is not a strategy. Mitigation by removing the attack vector _is_ a strategy.
If you're using a proprietary engine made by a for-profit company, the answer to that second question is always "yes", and the answer to that first question is always subject to change.
If you're using an open-source engine, the answer to the second question is "no" (because in the worst-case you can fork it to buy yourself time), and the answer to the first question is totally moot, because the first question is no longer a thing.
It's about risk management: optimism is not a strategy. Mitigation by removing the attack vector _is_ a strategy.