I took a quick look, and for the life of me ... I can't figure out why the embedded fonts would ever
be unencrypted when building KF8s with calibre.
The write_font_record function in the utils.py (ebooks/mobi/) has an optional parameter to obfuscate fonts that defaults to 'True'.
def write_font_record(data, obfuscate=True, compress=True):
That write_font_record function gets called exactly once
(in all the scripts in the ebook/mobi/ folder hierarchy), and it's called with only the first mandatory parameter in the resource.py script (ebook/mobi/writer2/).
So I can't determine why the procedure to build the combo MOBI/KF8 file leaves unencrypted fonts unencrypted, but the procedure to build a standalone KF8 always encrypts them.
The Tweak Book feature seems to un-obfuscate them, regardless, when exploding, so nothing really critical is going on, but I'd just like to get my head around it if I can.