Idea Summary
Handling read-only conditions is crucial for good and secure region plug-ins. If your plug-in allows for AJAX saving, you definitely want a server-side check and abort the process if the region is in a read-only state. Otherwise, users could do a replay attack from an instance that isn't read-only on one that is. 

The most obvious choice for the check is APEX_REGION.IS_READ_ONLY. But unfortunately, per the documentation, it only works during rendering. (There is a small bug; it should return NULL in non-rendering scenario, but it actually returns FALSE which is also not nice).

There are workarounds, like the Interactive Grid seems to pass a salted hash (apex_util.get_hash) during rendering. In the AJAX save, it is recomputed and compared, thus making replay attacks impossible as the user can't guess the hash. 
But I feel APEX should have the back of plug-in developers and should not rely on them knowing that APEX_REGION.IS_READ_ONLY actually returns FALSE even though this is not the case and then having them to know complicated workarounds like this.

Use Case
Plug-in developers.