Using profiler, extended events etc reveals what is being thrown at the DB but not how it is assembled.  How it is assembled is important because you need to know what could be thrown, not just what has been thrown.
If you don't know how it is assembled how do you know that it is invulnerable to SQL Injection Attacks?  People still write susceptible code.  Boy do they write susceptible code!
With very few exceptions the databases I have worked with have data with value to a wider audience than the originating app.  That meant I had to understand the schemas but also the access patterns in order to extract the data safely