Lots of vectors don't even require JTAG. Coffee maker type devices are likely to be just a $1 a microcontroller with inbuilt flash which you can fuse when programming to prevent reading but is rarely done in small production runs.
flash for microcontrollers such as ESP, Rpi pico etc is usually saved on an 8-pin flash chip which most people forget about and is easy to unsolder and pop into a reader. bigger devices using bootloaders sometimes store a whole FAT32 filesystem in one of these, you can even unsolder most flash and re-mount it with a little skill and suitable hardware.
I once read an AWS private key stored in plain text from an IOT board once. Go figure!
flash for microcontrollers such as ESP, Rpi pico etc is usually saved on an 8-pin flash chip which most people forget about and is easy to unsolder and pop into a reader. bigger devices using bootloaders sometimes store a whole FAT32 filesystem in one of these, you can even unsolder most flash and re-mount it with a little skill and suitable hardware.
I once read an AWS private key stored in plain text from an IOT board once. Go figure!