I apologize for the large text. I copied/pasted and did not realize the text would show like that. I can't edit it, as the first post in a new topic cannot be edited.
There is a Write-Once-Latch (WOL) that, when programmed with the correct key, inhibits any further programming and erasing of the chip, prevents from debugging and read-out of flash by a programmer. See PSoC5LP programming specs pg. 83
The flash security options are described best imho in creator help. enter "flash security" into help search field.
Thanks Bob! That makes sense. It set me on a witch hunt, with the proper search terms in hand.
In addition to that draconian step, there is another way to allow yourself a reprogrammable device without allowing debug.
In An72382, page 9, it talks about the "System" tab for the cydwr file. In it there is a Programming\Debugging line, which has SWD options for Debug. In that old app Note, it says to select "Debug Ports Disabled." That option is no longer available. I suspect that the selection "GPIO" is the one that prevents debugging on those ports. You can then use them as GPIO.
Edit: It appears you may also have to select "Enable Device Protection" also.
That combined with Level 1 of protection should (I hope) give a reasonable amount of protection for my stuff. I don't care if someone erases my code, I just don't want it hanging out there through the debug port or visible otherwise. There may be a minimum time window that debug could still occur, that is probably ok, we plan to do some obscuring of the device.
In addition, there may be NVL for debug enable/disable without WOL being set. Still looking.