The tarball and the spec file is sure part of at least the src.rpm.
Just as idea, you could encrypt the tarball, but then again, the specfile would need args to 'automaticly' decrypt it, while generating the rpm package.
I havent made rpm's containing binaries yet, but i would assume that you only use the compiled bin's rather then the codefiles (
eg: *.c/*.h).
A rpm containing binaries only, would never contain source code of the binary, unless you pack the complete project folder, which IMHO seems wrong anyway, as it would include several obect-, temp-, devel- & whatnot-files.
Depending on how 'safe' you want to be, either dont include the source code of binary at all, or delete the regarding folders within the %install of the specfile.
EDIT: That way you could transfer the
project.src.rpm in-house with ease, and everyone has all required data to generate and replicte the bins and rpm, but shipping only the
project.rpm out-house would contain only the binaries you want to ship.
If its all scripted, then no chance anyway
Hope this helps