Presumably, the latter is less of a risk; they probably don't want NSO to know their business and there's going to be at least metadata leaking that points to what they're doing. Plus, presumably, there's always a chance NSO could play them off to a higher bidder?
I agree about UAE wanting to keep their cards close to the chest, but I think the choice between NSO/other third party hacking groups and developing in house is an AND statement, not OR. At the end of the day, developing adequate zero day chains that provide access akin to NSO's Pegasus is an extremely time and talent intensive endeavor, and having multiple options to procure those capabilities is the more likely solution.
