This isn't a worry over device security. It's a worry about cloning. Most of the serious FPGA market is low-volume speciality devices that cost upwards 10-100k per unit, with yearly support contracts of that magnitude on top. Seismology, medical research, telecommunications... many of those products will be a raving success if they sell 1000 units. R&D is almost all of the cost and the hardware design is nothing special. You could clone these things with basically no investment if you have access to the bitstream. "Decompiled" bistream is also much more readable than assembly. That's why they're worried.
You could clone highly specialized devices, but it's not clear who you're going to sell them to. I'd like to think that most of my small, specialized customer base would turn up their noses at an obvious clone of my own product.
The people who need to worry about this are the Ciscos and Keysights and John Deeres and other 800-pound gorillas whose products have a broad user base that includes cost-sensitive customers.
