Yes, this is true. It's usually code with sensitive IP in it, which is limited to the people working on it. The API around that code and the binaries that result from it are exposed to other teams, but not the original code.