I like the idea of a general-purpose way of preventing writes. I haven't thought carefully about how this could be done solely through the permissions system, but I can see how it could be tricky. It's probably worth having a few more heads bang against it.
Some smaller but notable stuff to watch out for:
1) In postgres I'm pretty sure you can modify data in a SELECT some_function(args), which means you may not catch everything. That's mostly an enforcement and engineering standards issue.
2) If you're hanging all of the checks on [ad_conn package_id], you're going to miss anything processed in the background, such as email notifications.
