The Automatic Updates module displays an error saying that Drupal must have write access to the file system if core files are not writable. This is a security risk because a vulnerability in Drupal could allow an attacker to completely overwrite a site's core files. Automatic Updates and a protected file system can both be compatible with best practices if we use the file transfer backends that the Update Status module uses to update contributed modules and themes when they are installed on a protected file system.

Manual updates would require an admin to enter credentials providing temporary write access to the file system. Unattended updates would have to be initiated by a process with greater privileges than the web server.

https://www.drupal.org/project/automatic_updates/issues/3159719