your understanding of the booting process is correct,
suggest you also check the documentation, Jetson TX2 Boot Flow.
there’re two different scenario regarding to RCM,
1. if the board is un-fused
no key should be provided to flashing tools.
then, tools will handle as zero-sbk. RCM components contain only AES hash.
2. if the board is fused
private key needs to be provided to flashing tools so that RCM components will be signed properly.
since RCM code will be signed as long as secure boot is enabled so it should be secure as other signed component like BCT or bootloader.
please download Secure Boot package via download center, you should also read README_secureboot.txt for the steps to enable secure boot.
you might also access Tutorials page, expand [Developer Tools] session, check [Jetson Security and Secure Boot] training video to have more details.