> security by obscurity doesn't work.

That is not true.

https://en.wikipedia.org/wiki/Security_through_obscurity

Security through obscurity doesn't work in isolation. It doesn't work as the only solution. It is discouraged, because it can be a panacea.

But it also doesn't hurt in many instances. Holding back your source code can be a strategic advantage. It does mean that adversaries can't directly read it (nor can your friends or allies!)

Having a proprietary protocol or file format, this is also "security through obscurity" and it may slow down or hinder an attacker. Obscurity may be part of a "defense in depth" strategy that includes robust and valid methods as well.

But it is harmful to baldly claim that "it doesn't work".