Comment:

Resource may only be updated if that is legally allowed/appropriate and in some cases a normal "update" is explicitly disallowed (e.g. a provider may not update finding authored by another or prescription authored by another). In V2/snapshot mode the only allowed type of "update" is a "replace all" assuming the sending system in the header is the same as the original The FHIR specification addressed only Document as "immutable bundles" but in reality other resources may only be updated if the system/user attempting the "update" is "authoritative".

"update" needs additional business-specific details describing when/if an update may be appropriate based on the how and who created a resource (similar to the FHIR Document discussion). The current generic security guidance does not explain the specific issues related to risks introduced by specific operations.