Currently Dependabot appears to be configured to run against the VMR (in AzDO). You can see the active issues here.

It doesn't seem desirable that Dependabot is opening PRs in the VMR against product source - example. It would be better for these to be opened directly against the product repos for the following reasons:

1. Product repo unit tests don't run in the VMR, these PRs should have the product unit tests run against them.
2. If opened in the product repos, product owners will have more visibility on them.

To configure this, you can define a dependabot.yml in /.github or /.azuredevops depending on the configuration. You can customize the configuration as documented here. It appears that separate configurations are needed per package-ecosystem. Each configuration defines the directories to operate which could exclude /src. We wouldn't need to define all ecosystem rather just the applicable types such as npm, nuget, docker, maven, github-actions, and devcontainers.