There is absolutely nothing special about backends in this regard except that it’s more likely that the attacker doesn’t have access to the code or binary.