I mean... If they tried, they could exploit some known CVE. I'd bet more on a scenario along the lines of:

"well, here's the user's SSH key and the list of known hosts, let's log into the prod to fetch the DB connection string to test my new code informed by this kind stranger on prod data".