Suppose that there is a TFS server with some kind of WF build activity installed in it. For example, and this is just an example, suppose that the activity takes the build output, decrypts credentials stored somewhere on the server, and performs an operation that requires the decrypted credentials: maybe it sends copies of the build output over the network to some computer that clients are not able to access directly.
Would TFS clients need to have local copies of the build activity that performs that operation? Or do they just push their code changes to the server and let the TFS server decide how to build the code and what to do with the build output? Or do clients have some control over the tools TFS uses to build the code and the operations it performs on the build output? And back to the example I provided, if the user is required to provide the credentials for the post-build action, is the implementer of the activity responsible for ensuring that the credentials are properly secured as they travel from the client to the server or does TFS take care of that?
Once created you can put the Team Build Custom Build Activities in the custom binaries in source control and configure the custom binary path of the Build Controller. TFS will then automatically grab the binaries when such a build gets executed.
As for supplying credentials to the build securely, there is nothing that TFS will do to help you with that. Though communication to TFS can be secured using SSL (configure SSL security on the TFS server), the build parameters are also stored in the TSF database in plain text format.
Your custom Activity and the designer you use to edit the values could provide some form of encryption of values, which would make sure they're not plain text stored in the server database, but you'll probably have to use a static key for this to work.
Best solution is to run the Build Agent under the user credentials you're after, that way the build agent itself has the proper permissions and there would be no transferring of any credentials or secrets over the wire, since Build agents will use NTLM or Kerberos to authenticate.