I just found that the original P3D file can be extracted from the pdeploy-ed EXE easily! Just need to open with an editor (eg. Notepad++) then scroll till the header of the P3D (usually a line with “pmf”) and remove everything above! Can’t even UPX/compress the EXE by the way (because the data is read from the EXE at specific position), so either I make my own “safer” pdeploy or is there any way to fix it?
This is no secret. You can extract the original .p3d file rather easily; it’s just tacked onto the end of a stub executable file. Just as easily as you can access, say, the original .pyc files from something packaged using py2exe, or the original .jar of a packaged Java application. You cannot, however, extract the original source code as .p3d files only contain .pyo files, which is optimised Python bytecode.
I realise that the opinions on this differ, but I don’t think it’s worth it to pursue the (arguably impossible) goal of preventing the user from accessing your compiled Python bytecode in some way or another. If you want to force verification of sensitive parts, though, you could use ppackage to generate a package for that part, upload it to a server, and compile your .p3d file against it (and set the verify_contents token during the pdeploy phase). This is explained in the manual.