The documentation of docker config states that docker config can not writable:

mode: The permissions for the file that is mounted within the service’s task containers, in octal notation. For instance, 0444 represents world-readable. The default is 0444. Configs cannot be writable because they are mounted in a temporary filesystem, so if you set the writable bit, it is ignored. The executable bit can be set. If you aren’t familiar with UNIX file permission modes, you may find this permissions calculator useful.

I understand that writing to tmpfs is not pressistent if the docker is restarted, buy why being mounted to a temporary filesystem prevent the file from being writeable?

Last time I checked configs and secrets were for Swarm services only.

In Docker Swarm configs and secrets are distributed using the raft consensus log for the cluster state. Only manager nodes can change the cluster state. A worker node can not update cluster state and thus can not alter the raft consens logs.

Imagine you have n replicas of a service and two or more of them perform changes on the config. How should Swarm determine which configuration is the desired one? This would require some sort of merge mechanism with automated conflict resolution. Then the config file would need to be distributed by the raft consensus log and for each service (and replica) using it would need to replace the old content with the new content. Even today, if you edit the content of a configs file and do not update the handle, the changed file will not be applied when a service is updated - it is only applied if the stack is removed and started again.