For Windows it could just prompt the user when an application attempts a write operation; just like UAC, if permission is granted the calling application wouldn't even notice the difference except for the pause while the open for write access call blocks pending user permission. Done at the same level as UAC in theory it should be impossible for malware to bypass approval, heck I'd even be happy typing my user account password to thaw it out.

Thats how I would envision working as well.

Seems like the classic tradeoff between better security and better UX.

Users would complain, and/or try to disable it.