I think it boils down to two things that are not mutually exclusive:
1. Are you building a monolith?
2. What does your org chart look like?
I work for a fairly large company where a monorepo doesn’t make a whole lot of sense because each team runs several services that get released or patched independently. If you have a large product composed of many components that need to function together as a cohesive whole, go ahead, use a monorepo.
I think the idea is that the protocol is resilient to differences in implementation. A bad actor, could for all intents and purposes, manipulate the implementation to their advantage. An implementation, reference or not, is merely a convenience for users who do not want to write their own clients (which is essential for adoption).
I work for a fairly large company where a monorepo doesn’t make a whole lot of sense because each team runs several services that get released or patched independently. If you have a large product composed of many components that need to function together as a cohesive whole, go ahead, use a monorepo.