I have chewed on the same question, and presently I am planning on using an active integrity engine.
My basic idea so far is this:
2) If the client either fails to respond to the integrity engine in the appropriate time frame or responds with a bad (e.g. modified) c2runtime hash, then the server will nullify their session and instruct the client to kick them off of the game with an error message and a customer support email to contact.
It definitely requires an active server to constantly process the hashes, which we already have up and running, but some people may not.
As far as actual data protection, anything on the server is safe.