My understanding is that files in .cache/go-build are immutable and strongly named. If so, it might be worth setting them as read-only to help prevent cache corruption.
For example, as I mentioned on #24661, transitioning mdempsky/unconvert from go/loader to go/packages caused the go/token.File.Name() for cgo-processed files to start pointing into the go-build cache, whereas previously go/loader arranged for them to point to the original unprocessed files. The result was that the -apply flag silently started overwriting (and presumably corrupting) go-build cache entries.
Since I sloppily wrote unconvert to overwrite files in place, if the cache entries weren't writable, I believe it would have stopped this corruption. (Admittedly though I don't think this would help if I had properly implemented the write-to-temp-file-then-atomically-rename approach.)
For what it's worth, Git sets files in its .git/objects as read-only.