I work at VGS. Because of our mission is to secure the world’s sensitive information we will never let pricing get in the way of security. So yes, our product really is free. There is a cost for the external auditor and that ranges from 15k-25k for SOC 2.
As far as expectations for 2 above, in my experience, teams really love having a completely separate environment per PR. Gitlab has done this on top of Kubernetes using a dynamic domain such as <truncated-branch-name>-review-app.domain.com. This gives QA and stakeholders the ability to easily review/signoff on changes prior to going live and not getting bottlenecked by a small number of QA/UAT environments. This becomes particularly helpful as the engineering team scales up.
Right, but doesn't that just prove that there's a market for the product? You could build a similar app with a more attractive/relevant UI, make it easier/quicker/cheaper to use, or market it towards a specific niche.