I don't know about what is it like now (with all this A/B stuff), but /system/ on Android is supposed to be read only. As was ROFS on Symbian. That said, root could modify /system/ anyway.
It's still read-only on Android these days (there are multiple partitions for A/B stuff). Root can modify it, true, but I don't think anyone is storing any secrets on there.
With file-based encryption on the data partitions, Android hard resets should make all files inaccessible even if they're left on the drive.
