Most modern MCU have some kind of readout protection of the flash. Unfortunately, there’s only the minimal level of protection of your firmware IP. The TL;DR version is that serious crackers can etch the physical shielding off, and then read the flash content via microscope.
There are also exploits that crackers can use. Here’s a case study of how the STM32F0 MCU can be cracked via exploits https://www.aisec.fraunhofer.de/en/FirmwareProtection.html
What to do? Understand the risks and act accordingly. There is no one right answer, but there is a right answer for your situation.