> Our threat model is that all software developers make mistakes, and sometimes those mistakes lead to vulnerabilities
That’s not a threat model. What are the attackers going to do if there are vulnerabilities in your executable? Is it connected to a web server?
Does it have access to privileged resources?
They're using it in the sense of "the scope of this document covers this scenario," so the answer to all of your questions are out of scope.