Sun thought about this a long time ago. Thats why
Java class files that are used by a
servlet or
JSP have to be stored under the WEB-INF subdirectory. Servers are forbidden to directly serve any file from WEB-INF.
Since JSP are entirely confined to the server, there is no transmission of code to the client browser during operation.
Bill