My guess is that masternodeA (the one holding the coins) registers in the network like "hey, I want to be a masternode, and I hold 1k DRK, you can check it, and my "masternodeaddr" is this 'masternodeB' (which has 0DRKs)", then the network verifies that masternodeA has 1k DRKs and registers masternodeB in the list of masternodes. When you get the list of masternodes you only get masternodeB.
I guess someone could sniff that initial part of the protocol and find out that masternodeA has 1k DRKs masternodeB has 0 DRKs, but I would say that you don't really even need to have masternodeA available in the network as long as the wallet holds the 1k DRKs, so (and this is just thinking and writing the same time) you could probable even disconnect masternodeA from the network after the initial registration and just leave masternodeB in the network.
If that's how it works, then I wonder why a second machine is necessary? If you only need the wallet present at the initial verification step, why not have a single masternode that verifies the wallet, closes it, and allows you to remove it from the machine?
Because why ever have them on the machine at all? You could use TOR to send the message to your remote master node and no one would know your native IP. As long as you aren't running services off your local machine and have pretty much all your ports closed down you are better protected than on a server.