>   If you could add code to a protected chip, you could write in a "read"
> routine to send it all back *out* again via the UART.  I think that's
> the reason.

No, because only code already in the part could write to the flash.  That
code might include a code downloader, but it could decrypt the downloaded
code or check a digital signature, so that an attacker does not no how to
construct a loadable image that would dump the ROM.

What they should have done is to have two *separate* bits that disable
verification (the traditional code protection) and flash writing.