With source code and IaaC within the same project and residing in pulumi, if security is concerned just have IaaC inside pulumi and source code in Gitlab? But then separately into different repos defects the purpose of having source and IaaC nicely together as one...?

I don’t quite follow. Pulumi is source code. It can live in GitLab. It defines your infrastructure as code. You do not need to split anything.