I'm quite familiar with the characteristics of the STM32.
The STM32F405 is a standard microcontroller. Its security features are generally comparable to those which are present on other STM32 microcontrollers, as well as most microcontrollers in general. The PCROP (proprietary code readout protection) features which you appear to be referencing here don't help, as your application code is already open-source, and the key data that you're trying to protect must be readable to be used. Moreover, PCROP functionality is absent on the STM32F405.
STM32 readout protection is not particularly robust. There are a number of known attacks which can be used to bypass it on certain families without decapping the chip. I'm not sure if there are any attacks currently known against the F4 series, but I wouldn't doubt that they exist.
Most STM32 parts actually have a tamper detection feature which can be used to clear the contents of a battery-backed RAM when triggered. This sort of configuration still doesn't make a HSM, but it would be a step in the right direction.
Now this has degenerated into a quibble about semantics, and the difference between "it's not an HSM" and "it is an HSM, but it might have a vulnerability due to an unpublished zero-day against the hardware." Unpublished attacks against your silicon are always a concern, even (perhaps especially) if your silicon is marketed as a "secure element".
The SC4-HSM costs $75. It is intended to compete against the likes of the Trezor, the Ledger, and the Yubikey, not the SafeNet Luna. Its primary threat model is a compromised host, not loss of physical possession. Is it the most secure HSM you can buy? No. Is it the best choice for use in a data center? No. Is it secure against loss of physical possession to a state actor? Probably not (though you can always choose to encrypt the keys, which has a pretty good shot of holding up even against state actors). Is it fair to say flat-out, "It's not an HSM" implying that it provides no security at all? No.
The STM32F405 is a standard microcontroller. Its security features are generally comparable to those which are present on other STM32 microcontrollers, as well as most microcontrollers in general. The PCROP (proprietary code readout protection) features which you appear to be referencing here don't help, as your application code is already open-source, and the key data that you're trying to protect must be readable to be used. Moreover, PCROP functionality is absent on the STM32F405.
STM32 readout protection is not particularly robust. There are a number of known attacks which can be used to bypass it on certain families without decapping the chip. I'm not sure if there are any attacks currently known against the F4 series, but I wouldn't doubt that they exist.
Most STM32 parts actually have a tamper detection feature which can be used to clear the contents of a battery-backed RAM when triggered. This sort of configuration still doesn't make a HSM, but it would be a step in the right direction.