I’m an actual security guy, been doing it for nearly 20 years (before it was a thing). I’m of the opinion that if I can’t trust people to look at code, they shouldn’t be at the company. Period.

There are very few use cases where I believe read only access to code from people in product, engineering or support should be restricted. Generally the net benefit is well worth the potential risk introduced.

If you are worried about people stealing source code, invest in a DLP or CASB solution. If you are worried about ransom, don’t allow changes without PRs, implement a backup program and harden your endpoints. Not allowing people to do things that helps them understand the systems they work with is a recipe for shadow IT and promotes organizational silos.