Could Content-Only plugins help at all (to obscure source assets at least)?
Not that that really means much to those with the right motivation. As regards controlling access… It used to be next to impossible, now its plain ridiculous. You can imagine scenarios yourself. Its crunch time. A contractor’s locked-down machine fails. Somehow they’re now sitting at a staff production rig and have access to everything… Someone leaves a USB memory key lying around… There’s an unsecured Repo somewhere… A rogue Cloud-backup… An S3 bucket left open etc etc.
You’re battling siege mentality like fighting hackers. You have to keep them out 24/7 and man the castle walls, while all they need to find is just one weak point in your defenses. Then its game over… In general, the amount of chaos contractors can do is immense… That’s why security pros consider internal threats a higher risk than external… (Recent Case: Trend Micro etc)
As regards legally going in ‘heavy handed’. That only goes so far. It works OK in places that are litigious. But much of the world isn’t, especially when it comes to Online / Digital Crimes, where impunity rules! Plus you need a war-chest as legal costs are high. It might take years before you realize wrongdoing too… Either way, assets can still just be ripped from the binaries anyway… Interesting question overall though, especially with online partnerships and internet distance etc…