Some easy to extend mechanism to entirely (no auth loopholes, maybe standalone loophole) prevent user writes to certain collections, if it does not already exist, might be a good thing to have.

Specifically, repl code has expectations that the 'local.replset.minvalid' and 'local.replset.oplogTruncateAfterPoint' collections are not written to by users – e.g., we expect those collections to have a certain number of documents.

We should consider whether backup needs to be allowed write access, or other downstream products. Also whether downstream products perhaps only need access in standalone mode, so we could target repl mode specifically for disallowing the writes and disallowing incorrect config on startup.