[pas]

Yes, but no. I mean you are probably familiar with FIPS-140-2's security levels [0], and the ESP32 is probably on neither. (Not even Level 1. Which is roughly something that you can do almost purely at just in software, that's why OpenSSL has this mode.)

I'd argue that if you want to use some kind of device as part of your security system, and that part has to endure temporary physical access from unauthorized third parties, then you need something that is designed for that. Considering a software broken when it's clearly not designed to withstand physical tampering ... is a bit silly. (Though considering it broken in terms of IP protection is not surprising, it was never really designed for that either.)

Though, of course, you're absolutely correct that compared to its price (or cost), it's a lot more secure than an empty floppy (yet similarly simple - except you can't toggle an efuse with hand), or early smart phones (or early anything, that was complex, ran every kind of software as root, and so naturally was full of holes).

[0] https://en.wikipedia.org/wiki/FIPS_140#Security_levels