Thanks for the practical answer. And, therefore it becomes futile to protect the package from being edited by a third party (beyong config changes).

Good point. How do you deal with encrypted packages if a third party is installing the package? Are you force to give the password away to the third party to...