So I was thinking about this some more, and I guess something we could do with hopefully minimal performance impact is something simple like XOR encrypt the project name over the content of all asset files. If it's reversed at the point of loading hopefully there won't be too much delay (although this remains to be seen), and it stops you "just opening" any asset files.
The thing is this is basically homeopathy for security. It is not remotely secure in any meaningful way. XOR encryption is the type of thing treated as a joke by professionals (but it's quick and simple, which is the main reason I consider it). But - if you find the file you can't immediately open it until you figure out how to at least run the reverse XOR process. So this will function well enough to stop people idly browsing around your assets. But it won't pose much of a barrier to anyone with common technical skills. We could choose some really tough encryption, but then crackers will fall back to other tactics like scraping from RAM while your game startup time needlessly suffers.
My main objection is what does this really solve? I feel like people want to tick a box on a checklist that says "encryption" and get a warm fuzzy feeling that their work is at last safe, but that is not at all the case, even with some supposedly strong encryption. If someone wants to rip your music and sell it online, they can find a way. By far the more effective way to counter this is copyright law.
We're also a small team and I'm keen to spend time where it matters. Lots of people want exciting new features like modularity in events. I want to do that a lot more than I want to sit around fine-tuning the performance of a placebo algorithm.
So, is this really what people want? Do you really think this will make a material difference to anything?