Comment by kazinator

The non-strawman version of "security through obscurity" is the belief that a system is secured by means of keeping its mechanisms secret.

Suppose an organization doesn't believe such a thing; it's still more secure to keep code secret than not.

Obscurity is a valid layer of security, just not a valid corner stone or linchpin of security.

In particular, when code operates as a service (end users don't have the executable code on their machines) then protecting the source code is a real security measure. Without it, attackers can only probe the service as a black box, guessing about what it is doing.