- swf verfication
- encryption (for rtmp and hls...)
- allowed swf (which can help you for your last question i think) and html domains set inside app
- apache authentication settings
- apache allow deny settings
imho and inside my experience with FMS, i am not aware of other tools for protection (on the other hand, i do think that it is enough for the rtmp but not for the HLS).
I know this does not help your case much (mine too) but view my post as my way of agreeing with you and as a support for getting better protection in future versions, especially for HLS.