When creating a distroless from a build container, for security I do COPY --chmod=a-w to make all my project files read-only, and later I use a volume on /home/nonroot to have a read-write space where to store my app data, outside of the container.

To improve secury, I would like to have ALL the filesystem without write permissions. I know I can achieve it with --readonly flag when running docker, but it's an opt-in, and can easily be forgotten. Another option would be to create another distroless image, using an empty base image and copy all the files from the original generated distroless image, but it's a bit cumbersome.

My question is, does it makes sense, since distroless images promotes security, that they are already provided without write permissions on its filesystem? Only concern I have is about the /home/nonroot folder, since when creating the volume, its fully copied on the volume on first run, including the folder permissions, so the volume would become read-only too... or we would need to left the folder as read-write, so that would not prevent to use it without a volume and content would still be written in the container...