This is a requirement from a customer who is a bank.
They are planning to deploy several DS only instances in low security environment, making these instances read-only.
They want to make sure that even if the DS instance is compromised by a hacker, changes are not accepted by any remote RS.
This could be done with allow / denied lists configured on all RSs. Consistency of such lists across all RS will be important for security reasons.