Alternate idea, not sure how good this is: Use existing OS security features (regular permissions, or more modern features such as the immutable attribute) to mark the postgresql.auto.conf file as not being writeable. Then any attempt to ALTER SYSTEM should result in an error.
That is the point I highlighted in the initial post in the thread. We could make it readonly, but the returned error is misleading and definitely poor UX:
``` postgres=# ALTER SYSTEM SET wal_level TO minimal; ERROR: could not open file "postgresql.auto.conf": Permission denied ```
IMO we should clearly state that `ALTER SYSTEM` is deliberately disabled in a system, rather than indirectly hinting it through an inaccessible file. Not sure if I am clearly highlighting the fine difference here.