Compared to other frameworks, Vaadin is pretty secure. Vaadin application is compiled to .class files and deployed in web server. But it is still possible to convert .class into .java if deployed files are hacked. Is there some way to prevent the conversion of .class into .java for Vaadin application?
The short answer is that there is no bomb proof way to prevent decompilation of .class files. So the first line of defense for you is to secure the production environment, i.e. prevent system access breaches etc. This is generic to everything running JVM, not just Vaadin apps, but everything Java, Scala, Kotlin, or what ever that runs on JVM.