If you don't store anything other than your program hex, then when you upload a new program hex, the old one is erased. If you store settings, etc. using the EEProm library, that information you would need to wipe out by other means, such as a function in your program.
What can you tell us about your threat model? How sophisticated or motivated an attacker are you trying to defend against? What sorts of protections might the rest of the system afford you? For example, if you can live without changing the firmware, you could pot the entire Teensy leaving no (easy) access to the USB connector.