Some projects are also developed in the monorepo and exported via Copybara.
My team also uses it to version Starlark rule sets internally.
I suppose if you're running some security analysis on code in your own repo, the fact that you've copied the code in means that it'll run on your third party dependencies too, since they no longer appear to be third party.
The key part for Copybara is that Google will make changes to the OSS projects from within the internal repo and everyone else will make changes to the OSS projects.
Having a public repo as a dependency for your private corporate repo is a pain in the ass development-wise. Having a tree of such dependencies is a migraine.
Say, to rebase upstream MySQL changes onto a fork in the monorepo (in a random, non-specific example)