What are those? I've never heard of such a thing, if the CPU FLASH is wide open.
I mean, you know, the source code of pretty much all of the Internet architecture is "wide open" for anybody to examine, yet very same software is used in mission critical data security stuff, e.g. internet banking. The same thinking of course applies to a firmware project. Regardless of what you try to do, your program
is wide open anyway. Security does not need obscurity, quite the opposite.
These practices are things like asymmetric key encryption and signing e.g. TLS, using proven-good networking stacks, following vulnerability reports and taking actions... It's not perfect, but that's how the real world runs with surprisingly rare problems. (There are always some, e.g. openssl has some major security issue every few years.)
Further, you use practices like generate device-unique private keys so that compromising one device does not give access to any other device.
If you need a product where you cannot extract data (or pretend to be that device) even with
full, unlimited physical access, then things indeed get quite difficult. You almost always depend on IC-scale special custom solutions which you carefully discuss with the IC provider, and make agreements on sharing the responsibilities. Stuff like ST's generic lock bits are too unreliable.