I appreciate the response, but these suggestions won't solve my problem. First, Mechanique's bootloader doesn't require that you pull MCLR low. A power cycle is good enough to get it started. So the additional transistor you mention isn't needed for that.
Also, my hardware is already built, so there can be no changes there.

I use the RS-232 port both for communication and for bootloading, so I can't "kill" the serial port to stop the bootloader. About the only thing I can do is to stop all FLASH WRITEs.

I also can't set the code protect fuse, since I need to be able to turn the booloader ON again!