I agree with you here, you can get to other parts of the OS with this ability and will find different flaws. I would say that this comparable to an external penetration test vs a more formal internal practices and code review. Both are acceptable approaches finding different results.