I can certainly understand the desire to lock down the permissions so that changes can only be made through approved processes.
I know this isn’t completely what you are looking for, but if it was me I would probably lock down the folders in the structure right down to the level above the work and publish folder and then allow write permissions from there onwards. That would mean you only need to extend the core hooks as mentioned in this topic.
You could even lock down the permissions on the publish folder as well, and then perhaps you would push the publish copying process out to the farm which would have write permissions, leaving only the work folder open to abuse 
.