Is there a way to create a protected RPM package without giving up your source code?
Do you mean the source used to create the RPM (i.e. ~/rpmbuild/*) or the source used to create the binaries in the RPM? I didn't know that either was part of a standard .rpm package (as distinguished from an .srpm, as built also using the rpmbuild tool).
The tarball and the spec file is sure part of at least the src.rpm.
Just as idea, you could encrypt the tarball, but then again, the specfile would need args to 'automaticly' decrypt it, while generating the rpm package.
I havent made rpm's containing binaries yet, but i would assume that you only use the compiled bin's rather then the codefiles (eg: *.c/*.h).
A rpm containing binaries only, would never contain source code of the binary, unless you pack the complete project folder, which IMHO seems wrong anyway, as it would include several obect-, temp-, devel- & whatnot-files.
Depending on how 'safe' you want to be, either dont include the source code of binary at all, or delete the regarding folders within the %install of the specfile.
EDIT: That way you could transfer the project.src.rpm in-house with ease, and everyone has all required data to generate and replicte the bins and rpm, but shipping only the project.rpm out-house would contain only the binaries you want to ship.
If its all scripted, then no chance anyway 
Hope this helps