[boris]

>It's possibly to state in a single command "show me the drift in my config files/data versus the ref I'm running" and/or "show me the diff between my running system and an update I may apply".

I can see how this can be usable for configuration. But I am having a hard time imagining how this would look for something like PostgreSQL's data files.

[ElectricalUnion]

You run your DB inside a container as usual - volumes for data storage, read-only base container with non-root user.

[mhitza]

/var is not immutable, /home is also relocated to /var/home on Fedora Silverblue for this reason (as far as I recall, it's been a while since I've checked up Silverblue)