An excellent summary; a little vague on details. If all server code can be compromised, and all client code, and the man-in-the-miiddle, what are you left to test?
The assumption is that you should consider your source code open and exposed to inspection by an attacker, not that it has been compromised. As a result, if any security control is dependent on "secret" functions or embedded keys in your source, the threat actor is going to know about them and will attempt to use them against you.
As a result, the test plan will need to take that into account.
