You already answered your own question:
Your decrypting class loader still has to call defineClass. Anyone can launch your app launcher in their own class loader and simply hand your app launcher a version of java.lang.ClassLoader that will write out anything that is passed to defineClass.
There is no way around defineClass (aside from native code, I suppose).
If you are so worried about your classes being decompiled you're better off with an obfuscator (ProGuard or the like) or possibly an ahead of time native compiler (GCJ, Jet).