The read only system volume is a great feature.
This prevents a whole set of attacks.
And please never disable SIP and keep a close look on what apps you give full disk access (basically only backup tools). There are a lot of things that can go wrong.
It was a file, using the command line (with sudo) I got the error "Operation Not Permitted’ which is usually associated with permission (which I had), I didn’t dig in too deep because I could delete it from the Finder, but I suspect it had the stupid “com.apple.macl” xattr.
Which attacks does it prevent? Have there been any rootkit equivalents for macOS? The only attacks on macOS are easily preventable LaunchAgents. Another attack was via Safari for an old Safari version with a known bug which Apple didn’t fix for over half a year.
I also waited for Monterey 12.1 and I have to say it works fine. I only have issues sometimes when I click on my clock in the right upper corner. Sometimes it won’t open.