Given the current direction of JBoss Embedded, I'd say that it's unlikely to be packaged up as "one big jar". The new design is basically a few jars that "launch" an unpacked JBoss distribution, and that expects the JBoss filesystem (./conf, ./server, ./lib, etc.). As a JBoss AS user, I find that to be a good thing: my 'real' app server and my embedded app server (for unit tests) are basically the same thing.
Regarding running JBoss AS on an untrusted machine... JBoss AS is Open Source, so anyone can see the source code, but your app? That might be a different story. IMHO...
- Any obfuscation or other type of protection will be cracked given time, so deploying any sensitive or proprietary code is probably not the best idea. Deploying an OSS app is basically a non-issue, since the source code is available anyway.
- Typically people use JBoss to implement a software service (that's what my company does with it), so we run it in a trusted environment. If you have sensitive or proprietary code, why not do it that way?
- Running in a trusted an known environment makes development much easier because you don't have to deal with all kinds of strange configurations (except for browsers).
So, seems like you'd want to release whatever this is with an open source license and then figure out a way to deal with supporting different environments.