I've been messing around a bit with the official theme files released for firmware 3.70 and I managed to split them apart into their various sections. I still have NO clue what the sections are, but I know for sure that the file is not encrypted, the data can be edited without corrupting the theme, the file has to be <=512KB in size, and it is copied in its entirety into a file in flash (0, 1, 2, 3; I don't know which).
You can pad on as much data as you want, random or otherwise, up to exactly 512KB. You can even replace bits of one theme with bits of another so long as the stuff you're replacing is bigger than the stuff you're copying over it and you null out the trailing data to the end of the section. For example, I copied the 'classy pink' icon over the 'cookies' icon and it showed up with the 'classy pink' icon in the theme selector.
There doesn't even seem to be a checksum on the data in the theme header...
I made a tool for splitting the files apart. There seem to be three different types of section; they all have the same first two bytes (0xD9, 0x6B) preceded by either 0x05, 0x06, or 0x07 and followed by a header that is different depending on the section type.
Hope this inspires people to figure these out even more :) I've attached the two currently existing official themes for testing purposes.