I think zarr has some ‘security’ vulnerabilities, and in case you are doing something wrong on an existing dataset (e.g. I tried to add consolidated metadata after archive creation) you will loose data.
So which ways are there to protect an zarr archive ?
One idea I have so far is to grant read and append access only, but this is hard to obtain via command line tools like chmod
Zarr relies on the underlying storage layer (filesystem, object store, etc) to provide security. Read access is fairly easy to configure with standard UNIX permissions or cloud IAM. Append is more complicated but should be doable.
Where are your data stored?
Thanks for your reply @rabernat . At the moment I store the data on a unix filesystem.
You can do this on unix with chattr +a e.g. But my intention is that it would be a nice feature to define this when the archive is initialized.
But even if I change to append only, I am asking what happens if the root user wants to write to the data ? Or does root has to change the attribute before root can do anything with the file? I will test that 
My plan is to store the data on s3 in a couple of months.