In v66 and higher, CloudReady is adding a security feature found in Chromebooks called rootfs verification.
Rootfs verification's job is to ensure that the parts of a CloudReady disk that contain the most critical and sensitive code for running the OS are not edited from one startup to another. When enabled, users are protected from tampering that might occur using external bootable media or removal of the internal drive.
v66 and higher
Google uses a stack of security verification called "Verified Boot" to create a chain of trust from the firmware to the OS that everything is secure and in the state expected by Google. This functionality requires a controlled relationship between hardware and OS that is not possible on CloudReady, where the freedom to use any hardware is provided.
Despite this, CloudReady offers much of the same security features as a Chromebook at the OS level, including per-user encryption and process sandboxing. In v66, we are adding a feature to help verify that some of the most critical parts of the OS, the root file system, are verified during startup, bringing CloudReady even closer to the security of an official Chromebooks.
Rootfs verification will prevent any tampering with the drive from one boot to the next. CloudReady already prevent editing the root drive while running, and now will use this verification step to prevent startup if a change has been made while the drive was powered down. This can prevent tampering that occurs using external bootable environments (like a bootable USB) or changes made when someone physically removes the internal CloudReady disk from an installed device.
If you are using the Home Edition and you want to be able to edit your root file system, you need to take extra steps as documented here.