Every line of code, every dependency, every service, every environment, every configuration, every Event, every generated log, all data, all processes, all communications, all side-channels must be maintainable, patchable, auditable and assumed to be under constant opportunistic attack
Logging and profiling is a minimum to have any idea that you may have folks or software poking for holes.
The only reason it might appear that way is nobody has bothered to try yet. Just wait until you have something valuable going on with your software.
The application will be exploited and broken so there must be a strategy for identifying, managing, understanding and cleaning-up after a breach.
For real: have a disaster plan and a going public plan when you inevitably lose track of important data or have a giant picture of a scrotum on your website that you didn't put there and you don't recognize.