If a chrome app can work offline it means that source code is downloaded somewhere.
My question is how to protect it?
The only thing that comes to my mind is minification of javascript code. Is there anything else?
Javascript is downloaded to the client machine (and can be manipulated there) for this reason it can never be secure or secret. As you say the best you can hope for is obfuscation.