Not just tend to, have to. Matter certification requires flash encryption and FW signing.

Are these requirements public?

I was working on a Matter device but it never got certified due to high cost/lack of customer demand.

Matter specifies that all firmware images must be signed so the device can verify authenticity before installation, ensuring they haven’t been tampered with. Matter further requires mechanisms to prevent unauthorized firmware execution and ensure that firmware can't be downgraded.

Matter states that firmware images “may be encrypted.” This is not a requirement, though encryption is allowed and may add security

(https://community.arm.com/arm-community-blogs/b/internet-of-...)

This sounds like it only affects OTA updates going through the Matter stack, not an explicit requirement to block serial flashing.

Disclaimer: I haven't tried serial flashing of Shelly/Sonoff Matter-enabled devices myself, just remember some complaints of customers that failed to re-flash such devices.

where "security" here means "anything not explicitly sanctioned by the vendor is prohibited"?

No it means signed firmware and verified boot…

That's pretty far from the main issue with iot security, and a heck of a lot of the issue with IoT in general, that the hardware gets vendor locked to a vendor that stops supporting the software (and wasn't very good at writing it in the first place)