Interesting. Pretty much in a nutshell everything I like and don't like about Apple. Excellent and thorough approach to security that includes making app developers follow the security model but expensive hardware that will be outdated in no time at all even on the IT time frame.
Yet somehow people are still able to jailbreak iOS 9 which has the same "rootless" feature and is even more locked down... But still renders most Apple "geniuses" powerless in specific scenarios. Now if this is bypassed (which I'm betting it can be), and startup disks is disabled, cleanup may be even harder than dealing with firmware malware.