My approach falls into your ‘reveal complete’ category. In my experience (for a system that hasn’t been TM’d before) any existing capture of security information isn’t standardised, so capturing it in a standard way helps to add structure (which helps to detect if things are missing), and it makes it easier for others to review, learn from and copy. My approach actively encourages capturing existing controls, which then became a great list of things for security testers to actually look at to confirm those controls work as expected!
Well, my approach is also with reveal completely. A capture of current state with existing control sets and what controls exists that is not implemented is a great start to directly add value to the whole of exercise. It also give some realistic insights on real threats.