Enable read-only overlay for your rootfs and make your /boot readonly. Just use raspi-config, and go into performance options.
There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.
Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.
Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.
There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.
Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.
Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.