Consider using a non-Windows file system on the system partition
The system partition of the USB stick already uses the hidden
flag of GPT to discourage Windows and others to manipulate it.
According to #17634 (closed), this is not enough to prevent Windows from doing so and this creates trouble for some of our users already. Though we don't have more information about which applications or Windows configuration do manipulate it right now.
I understand that we won't ever be able to completely prevent an OS from manipulating the USB stick if plugged in (and maybe implanting a vulnerability) and so that we are talking about finding a tradeoff here.
But I guess that formatting the system partition with Ext4 for example, would fix #17634 (closed) for example.
What would be the cost? Could moving out of FAT bring other benefits?