A major problem with copy on write is that users can not scrub their data and that has to be done by a root user.
The Posix committee needs to get its act together and provide a F_OVERWRITE fcntl system call that says "when I write a block back to the disk for this file, put it in the same place".
As an example of why this is needed:
echo "123SomeMagic" >file
echo "XYZZY123" >file
You get the same results if you do a open, write, sync, seek 0, write.
dd if=/dev/zero of=file&rm zero; won't even scrub the data off the disk most of the time with ZFS, APFS or BTRFS. Encryption won't help either since the OS will happily give you a bunch of unencrypted blocks if you have the right privilege levels.