Just to be clear, some micros (STM32s come to mind) have what they call "on the fly decryption" for external flash. Basically, if the micros wanted to, they would. I think ESP32s are also using qspi flashes but they're integrated in package? Maybe that's changed but that's how I vaguely remember it
I believe only the ESP32 modules with 16M have QSPI flash, the 4M standard flash is on chip. For on the fly decryption you need on chip enclaves to store the keys. Anyway, it doesn't really matter for hobby projects and the ESP32 can also be used for commercial projects.
Indeed, the number of "non commercial" projects using these chips that are set up much less securely than even modest "hobbyist" projects boggles the mind.
