Thanks, that is indeed a useful threat, but I am still not positive on what Apples officially supported way of doing this is. It seems like the client either has to share their distribution certificate or the external developers need to share their source code. Both these solutions are not ideal. And it is difficult for me to convince either side to make sacrifices on security. So having back-up from official Apple documentation/devSupport would also help me make a convincing case for 1 solution

I don't fully understand the first scenario. If we would add external developers to our team, why would they still need to send an app for us to upload. I thought the whole point was that they could then do it themselves. Also, is Apple recommending that we share our distribution certificate, the client is (understandably) very hesitant to do this. Even though it alone is not enough for any malicious party to do harm. It is a layer of security and stripping it seems risky.