Currently we recommend to make the matomo.js tracker file writable by the web server user, otherwise we display a warning in "Diagnostics":
As reported in https://github.com/matomo-org/matomo-package/issues/109 having core Matomo files as read-only would be a plus for security for some users. In particular, when the same server hosts other apps and one of these other apps gets attacked, then at least the attacker wouldn't be able to serve malicious JS via Matomo.
It can actually already be implemented by following these steps:
php path/to/matomo console custom-matomo-js:update<- this crontab will re-generate the matomo.js tracker file when needed (for example after upgrading plugins that define a JS tracker file, or after installing a new plugin that has a tracker js file).
So maybe what we could do to eventually "solve" this issue would be to: