The initial permissions used on the 'surf-config' folders under a new Site could do with improvement to ensure that only Site Manager role can modify or add files to it. See linked issue for more details. The suggestion is to turn off Inherit Permissions and explicitly add the Site Manager role for the Site to the surf-config folder when it is first created.
Axel Faust suggests:
MNT-16371I would also suggest to look into revoking ownership privileges for surf-config contents, to tighten access for former SiteManagers that have been removed since adding a file for e.g. a dashboard component.