I enjoyed reading the article, I didn't realize I could have this layer of immutability on my OpenBSD systems so easily. But after reading the comments here, indeed the real solution is to export the logs to a central server in another security domain à la PCI requirements.

On the other hand it's great to have documentation like this. I feel there's a gradient between convenience and security and immutable local logs could provide a layer of defense without requiring another server for logging. Maybe a "nice to have" for a small homelab, security practice, etc.