Use ICSP. The very fact you have a Bootloader, means your software is unprotected. The idea of protceting your code is just that - it is PROTECTED. You can't have a "I want it protected from everyone but me" scenario - it's either protected, or it isn't. You can't have both.