With I2C bootloader you have that protection. If data in external I2C memory isn't complete or if it is corrupted then main app won't start bootloader, simple as that... Erasing and writing to flash isn't started until you have all data in external memory.
Also another advantage of this is approach is that interrupt vector isn't affected by bootloader. And PIC is able to erase and write memory with code protect turned on.
Only possible drawback of this is that bootloader isn't run before main app. So if you have bug's in your main app, there is possibility that you won't be able to start bootloader.
But I didn't need that, I just needed that user can load another firmware version.