The obvious point of comparison is security consultants. A security consultant knows a lot less about your product than your engineers do, but that's precisely why they're helpful - they bring an outside, generalist perspective that isn't bogged down by all the arguments you've accreted over the years about why X component has to be structured in Y way and there's no need for a security boundary around Z.