No client/customer information is on dev machines.
You can ssh to a set of machines where we push logs from our production servers, but this is only offered if your team owns the micro service. And those logs won’t contain anything that identifies a specific customer.
There’s a daemon that runs on all hardware that will revoke temporary privileges. If you kill the daemon you’ll get banned from the network - which blocks you from accessing any host as none of these hosts are directly accessible over the internet.
That’s not say everything is 100% bullet proof and couldn’t leak if someone really went rogue.
One of the things we did in recent years is run an internal repo of approved software packages. Some guy wrote some code for us, threw a copy of it on the web, and then tried to sue us saying that code was written before he worked for our company, blah blah blah, and that we stole it and owe him money. So thanks to Carl, my financial partners demanded stronger “regulations”. We now have a small team that will sometimes manually approve packages and pull them in. I also wrote some software to automate this so if you pull in some dependency from GitHub with one of our approved licenses, it’ll let you pull your package into our repo automatically.
A developer's PGP key would be a good example. PGP keys are used by git to sign commits and tags. Plus, they're stored in the home directory so they may very well be accessible to a rouge package in the event of a supply chain attack.