So the way we protected models from decompilation at my previous place was to build out our own inference engine in C. The concern again was to prevent people from borrowing the model, but also to run on the edge and prevent users needing to upload data to the server (reducing security and privacy concerns).

This had the advantage too of being able to be much smaller, and better constrained on device than a standard python framework, because we only carried what we needed to get the model working. It provided a decent level of defense via a number of signature checks, encryption and rearrangement of data. But it's a big upfront cost - months of engineering effort, and even more when you need to update the core model because the newest technology blows it out the water for a similar performance cost.