This is so boneheaded it beggars belief. The straightforward solution is to require the UEFI variable filesystem (or whatever it is called these days) to be mounted read-only, and require (UNIX anyway, but something analogous ought to work for Windows too) an application to do a "mount -o remount,rw" to do whatever it needs to do, then do a "mount -o remount,ro" when it's finished. Not as nice as having UEFI not be seriously broken, but workable, and there's not much of an excuse for things like systemd, openrc, etc. implementing this where appropriate (and for any UEFI crap that can brick a system, this is appropriate).
Applications don't like it? Tough, patch the damn things. Requireing firmware to be exposed to harm like this on any operating system is unacceptable.