Slashdot videos: Now with more Slashdot!
BCC, like any email header, is part of the email body, and is likely to be preserved as part of the email body until 'final delivery', at which point it *may* be removed by the MTA. I say *may*, because what constitutes final delivery isn't as well-defined as you might suppose (think procmail or fetchmail), and MTAs may be configured to preserve Bcc for the benefit of users/downstream mail systems. And *any* MTA that handles a copy of the message may see the BCC header, as it isn't guaranteed to be removed until delivery, if at all.
The SMTP envelope is what actually determines routing in a pure SMTP system, and MUAs typically construct the SMTP envelope from the email body when talking to whatever SMTP agent you configure them to use - but this isn't always the case (think mailing lists). Additionally, the SMTP envelope only carries those addresses you're asking the SMTP server to route - if you're the originating MUA that's every addressee, but if you're a recipient's MTA that's only the addresses you're expected to actually deliver to.
A further wrinkle, which I glossed over in my original post, involves the 'Received from' headers that each MTA will add to the meesage - if they are receiving the message for a single recipient this will generally include the recipient address, so for best security (i.e., to protect the recipient's identity even if someone third party stumbled across a copy of the message including all headers, as it was deliviered to the anonymous recipient) you'd ideally want them to have two separate mailboxes on the same mail system, and send it to both - that way the 'Received from' headers would nwever contain an actual recipient address.