That may be true for software that you download and install as an app, but for SaaS, there is no need to expose the code to anyone at all. Only your API endpoints are available. You can try and "black box reverse engineer" through the client code and its API calls, but that's not the same as having the server code in hand to pick apart.