Many tools don’t need write access to their project / tool home directory: they only read source code and maybe configuration files from there. I think a webservice flag to add readOnly: true to the home volume mount would be useful to reduce the potential damage if a tool has a vulnerability that allows code execution on the server.
The flag should be available both on the command line and in service.template.
(I’m mainly interested in Kubernetes tools here; I have no idea if this would be possible on the Grid.)