This is paradoxically because historically everything was wide open to anyone so access-control and such isn't super fleshed out for most apps behind the proxy. Random internal app X could have been conceived and built with very little oversight and opening it up to a rotating cast of temporary workers is seen as an unnecessary risk. Broadly used apps (e.g. the bug ticket system) tend to have app-level security-controls and are not blocked by the proxy for contractors.