I don't think there's any legal exposure here. Article 16 of 14.063 gives an exception to code protected by Law 12.527/2011. Articles 22 and 23 seem to clearly allow for not releasing source code if that release risks the "financial, economic, or monetary" stability of the country.

Beyond that, Pix is so popular that I doubt a challenge would hold up in court. If it went to the STF, there's no way they wouldn't give Pix a carve out.

I'm as big a fan of open source as anyone else, but can we audit any other payment systems anywhere? Is that a reasonable expectation to have for payment systems?