You mean if malware running in a VM can disable grub-live?
If the disk is not set to ro at the host and it is running at root level then it should be doable. You just need to remount the disk RW and then change whatever data you want.
ro-mode-init just checks if the disk is set to ro at the hypervisor, it only activates “itself” i.e. the debian live stuff when the disk is ro so malware just running in the VM can’t change anything in a persistent way.
Ok.
Well, for some of those there isn’t really anything which grub-live could do. Instead the user would need to unplug disks himself or use some media with WP switch/secure™ firmware.
I can look at the automounting stuff but a default XFCE install never mounted non-root disks for me.
Swap might be an issue, encryption, using ro media or just don’t create a swap partition during install would be the options.