I want to attack a few of your assumptions. They seem, at the face of it, dubious.
Clearly, there is no external threat and only authorized personnel have access to the intranet environment
Famous last words. How sure are you that no malware may be brought on premises unwittingly, via for instance a word document with a malicious macro, a USB pen drive found in the parking lot or similar? This may give third parties access to your internal network.
If the answer is that the network is secure against such threats due to X, then that should be documented as part of the security model for you application. After all, it's an access restriction.
Unless it's an insider threat, however, it's still impossible as there isn't any necessary tools available or downloadable within the environment.
How is it impossible? None of the computers have for instance Microsoft Office, with the possibility to write VBA macros? Or Powershell? Or the possibility to plug in random USB devices with Python on them?
The only threat I can foresee is the transparency of my application. Within my winform application folder, the source files were made available to anyone and users might have the ability to understand it and reverse engineer those source files.
What are you protecting? What is your asset? An application may be an asset by itself, or it may simply be a front end for a backend database, in which case you may not care if someone modifies or copies your application, as long as integrity of backend is preserved. The approaches in those two cases would be totally different.
