what protection mechanisms exist by default for the digest files?
By default there are no built in protections for the Digest files. You can however, prevent deletion by IAM and Bucket Policies. It’s best practices to deliver Cloud Trail logs to a bucket that only trusted individuals have read access to. I would say only CloudTrail needs write access so it can be, and should be, locked down.
Thanks for the response. The reason I asked is because both the logs as well as digest are going to the same bucket. So if someone can mess with the logs then they can also mess with the digest and if we are able to lock down the digest then the logs should also be automatically protected. Unless I am missing something.