As racetrack mentioned, there are other ways of getting your .apk if they want it, but the long and short of it is that your app is largely exposed once it's in someone else's hands. A decompiler will lay the whole thing bare for reverse engineering. This is part of why Google strongly recommends using an obfuscator like ProGuard. While this still leaves all the logic there and intact, it makes it much more difficult for a person to read and understand as it will replace all your function and variable names with meaningless strings of characters.
Personally, I've stuck with the Market for distribution. My main focus is making people within my target market aware of the existence of my app rather than needing to reach a wider demographic, so reaching countries that the Market doesn't support paid purchases in yet is of minimal concern to me.