Yes.
And if an app has more than one published versions, I would like to set all the published branches as read-only.
I would make all the branches read-only. The user must explicitly specify which branches are read-and-write. You can publish a read-and-write branch if you want, but you need to explicitly set it that way.
As is, it’s too easy to edit everything.
Most standard workflows, even advanced ones, will only edit some development branch(es) and merge to the published one(s). I can’t see a workflow that needs to edit a published branch, it’s too dangerous. But if you really want to do that, you can edit the environment and set that branch to read-and-write.
A new app could be automatically configured out of the box with a dev read-and-write branch and a master read-only branch. The UI could have the Publish button that merges dev to master, and the simple workflow is set.
For advanced workflows, you could setup all the branches you want and tag them as read-only or not.