I think cal.com is assuming LLMs are only good at hacking with the source code of the target, whether that's true I don't know

Going closed source is making the branch secret/private, not making it obscure. Obscurity would be zipping up the open source code (without a password) and leaving it online. Obscurity is just called taking additional steps to recover the information. Your passwords are not obscure strings of characters, they are secrets.