This puts them on the same level of Linux - when doing Linux threat assessment we can count the attacker has the source code for everything.
In any case, it's silly to think otherwise. It's always safer to assume everyone that we wouldn't want to know something already knows that, whatever it is.
It's the same assessment level but may or may not be the same exposure level.
While Microsoft does not assume that attackers haven't seen the source code, we cannot say how many people who are capable of spotting security issues have reviewed the code.
That being said, it's worth also saying it's a hard comparison to make overall; it's possible there are important parts of the Linux code base that have in fact had less eyes on them than Microsoft has had on theirs; without numbers it's hard to be certain.
In any case, it's silly to think otherwise. It's always safer to assume everyone that we wouldn't want to know something already knows that, whatever it is.