How much are you prepared to pay to protect your code? What is the value you are expecting to lose if protection is broken (in terms of dollars)? What is the likelihood of this happening? How much money are your attackers likely to spend on getting your code? Will a single breach by one attacker result in a small amount of damage to you (eg one user's files lost) or a systemic one (eg all of your proprietary secrets lost that are the same on all devices)?
All self-decrypting systems are flawed and limited. Some hardware devices try and make it harder to extract the keys, but the keys still have to eventually end up in plaintext in the device for decryption routines to use them.
Providing the key remotely is an option, but it's also flawed because the target device can be modified to log the key.
In the end all you can aim for is making it slower and more expensive for an attacker to work out how to decrypt your code. Combinations of hardware-level obfuscation and complex bootloaders will achieve this until they don't. Implementing these is expensive, implementing them well and testing them well (ie attacking them yourself) is expensive, probably more so than a single attacker's costs.
Broadcom may already have some hardware obfuscation features in the SoCs on the Raspberry Pis, but I suspect you would need to engage them at a business level to get solid information.
A cheaper option is software-only obfuscation, of which there are many write ups on the internet with millions of different methods & justifications. This will definately be the easiest method on a Raspi as you don't need any extra hardware.
Some companies provide pre-made obfuscation methods as a service. These have different flaws, but they might meet your requirements in other ways (you get to shift blame to a 3rd party).
The best method is avoidance: don't have secrets on hardware that you don't physically secure and control. Sadly this is often not feasible, but minimisation is still worthwhile.