as far as i know, it is not very easy to decrypt a max collective.
maybe someone can do it, but no one in the forums said that they
really did it. i would call it "moderately secure"
on the other hand, additional content of the app can be easily viewed
by "open package content" operation in finder (on osx, don’t know
about windows), but that works for most other apps as well – you
easily get elements of ui or sounds, some support files, etc
The collective inside the app is not encrypted, and it is possible to extract working patch data from the collective if you have time and patience. If the patch is a single patch full of nested patchers, it’s considerably easier to reassemble than a patch that uses a lot of abstractions. If there is audio content etc in the collective, you can get that out too if you know what you’re looking for.