So once my Teeny is installed in its final home doing what I want it to do the bootloader chip plays no more part in the proceedings, it just sits there retired. I wish I could.
Less like retirement, more like furloughed but forever on call, ready to return to work / active duty on a moment's notice when needed again.
After studying the 1000+ pages reference manual for the K20 processor, you'll discover that there are flags which can be set to protect the firmware.
Read a short but inspiring summary here: #9