what protection mechanisms exist by default for the digest files?
By default there are no built in protections for the Digest files. You can however, prevent deletion by IAM and Bucket Policies. It’s best practices to deliver Cloud Trail logs to a bucket that only trusted individuals have read access to. I would say only CloudTrail needs write access so it can be, and should be, locked down.