All ST cortex-M have code readout protection. (I suspect most other manufacturers have something similar).
I seem to remember reading that there is a demonstrated weakness on some STM32L0xx, where code readout-protection level 1 could be compromised. But that it didn't extend to Level 2 (so even those could be left secure). Nor did it extend to the rest of the stm32 family.
But there are other ways for the "bad guys" to get hold of your code. For example, if you hand over a file to a board-manufacturer and ask them to make 1000000 units, there's nothing stopping them from making more and selling them on the black-market. Or someone unscrupulous could get a job as a cleaner at your place and get unsupervised access to the computer with all the code on. Or they could remotely hack into your computer network.
Or they could take the chip out of its package and then probe it to read out the code. I believe there are some microcontrollers that deliberately make this difficult by burying key parts of the chip under extra layers and a quick web-search came up with one from a rival manufacturer.
There is nothing that is 100% secure. Just as there is nothing to prevent someone else writing new code that behaves in a similar way to your code.
For me, I take the view that ST's own CRP is good-enough to stop most attempts at code extraction.
Hope this helps,
Danish
