giter you could protect the admin files using a password at the webserver level. That would be the easiest, but not very convenient for administrators. Or protect by IP range if you know you will always access the admin from a fixed IP.
Some big companies using Flarum must have developed their own "locked down" version of Flarum that automatically prevents accessing files the current user doesn't need, but I have no insights into that. I just know their admin files are not visible in the Lab.
Some forums use further javascript minification (some intentionally, some it's their host/proxy doing it automatically) which limits what the Lab can do with the data. But everything's still there for someone who wants to put in the effort.
Minifying the javascript for the purpose of hiding which features are available isn't very effective since the list of extension IDs are present in the Flarum JSON boot payload anyway.
Can I ask what you're trying to make invisible on the forum? Many things can be seen straight away from the development tools as you say, and most of the things could be "guessed" by a skilled person anyway.
If your forum is fully private, and only accessible to invited users, I can understand you might want to hide the full extension bundle for guests. This could probably be achieved using a Flarum extension, where guests would see a "light" version of Flarum with just core features to allow login, and where the full bundle is downloaded for logged in users only. The extension would need to make the name of the javascript file either unguessable, or actually implement some access control on that route instead of leaving nginx/apache serve the file.
