Sorry, you're absolutely right. You can't boot from the image, but can restore the image to a bootable device to get access to it, or you can open the invisible FileVault volume on the image (so, an image in the image) to get at the files.
Sparse images with password protection are, indeed, secure -- in fact, that's what FileVault uses. If you're FileVaulted, and they got the sparse image, password protected or not, those files are just as encrypted as they were on the original drive. So, no -- they wouldn't be able to get access without breaking the encryption (unless, of course, you didn't have a password on your login account, or had one that was easily cracked).
__________________
--Dave Nanian
|