Could you please help me better understand what you mean here?
I don't think we need random kluges added to the permissions system.
If you allow me, why do you think disabling ALTER SYSTEM altogether is a random kluge? Again, I'd like to better understand this position. I've personally been in many conversations on the security side of things for Postgres in Kubernetes environments, and this is a frequent concern by users who request that changes to the Postgres system (not a database) should only be done declaratively and prevented from within the system.
Alternate idea, not sure how good this is: Use existing OS security features (regular permissions, or more modern features such as the immutable attribute) to mark the postgresql.auto.conf file as not being writeable. Then any attempt to ALTER SYSTEM should result in an error.
