FPGAs can sometimes be one-time-programmable using anti-fuses that basically disables the JTAG interface or can be set to disable the interface if the FPGA detects attempted tampering. Most of the time, an FPGA is going to be set to OTP to prevent competitors from stealing source code for applications where upgrading the firmware via JTAG is not necessary.
The FPGA also can have a massive unique key that allows the designer to create a whitelist algorithm that only lets certain unique IDs run that firmware. Other options involve setting a time limit for how long the firmware will run, disabling certain features, or totally bricking that FPGA forever. Spartans have this feature but it would still allow for someone to build a new design that doesn't check the device ID.
Additionally, the bitstream can be encrypted so that if a field update is necessary or the firmware is stored in a stored in a separate flash chip, someone can't reverse engineer it.
Overall, the more you pay, the more security features there are available. An example secure design would disable JTAG pins permanently and have a microprocessor inside that would handle new updates. The processor would authenticate any new encrypted firmware before programming the internal flash.
The FPGA also can have a massive unique key that allows the designer to create a whitelist algorithm that only lets certain unique IDs run that firmware. Other options involve setting a time limit for how long the firmware will run, disabling certain features, or totally bricking that FPGA forever. Spartans have this feature but it would still allow for someone to build a new design that doesn't check the device ID.
Additionally, the bitstream can be encrypted so that if a field update is necessary or the firmware is stored in a stored in a separate flash chip, someone can't reverse engineer it.
Overall, the more you pay, the more security features there are available. An example secure design would disable JTAG pins permanently and have a microprocessor inside that would handle new updates. The processor would authenticate any new encrypted firmware before programming the internal flash.