Well my point is that switching to a commit-based workflow with no runtime changes doesn't solve the problem of adobe setup including a malicious commit.
Isolating things to a specific folder is what actually gives any security here, and you can do that on a writable /etc too.
Everything else should be in its own folder without the ability to change anything outside of that folder.