If some code on the box can download the "secret" scripts, then root can read that code and do the same thing. Or he can just edit the code to print out the "secret" material after it has been downloaded. This is not a secure solution.

Right, mostly I just moved the problem. A working solution would require some form of authentication procedure. Unfortunately, because root can simply read whatever files are needed on the client machine to provide credentials (i.e., username/password, plain text cookie, private encryption key), or su to the scripts' account, there's always going to be the risk of a spoofed client. In order to make this work I think you'd need a fairly elaborate process.

The NDA is a good idea in any case, although given that these are running as cron jobs means probably they aren't visible to the public. So finding out if the NDA has been breached could be hard.