All PDF security can be stripped by freely available software in ways that allow subsequent modifications without restriction, except the kind of PDF security that requires an unavailable password to decrypt to view, but in that case viewing isn’t possible either.
Subsequent modifications would of course invalidate any digital signature you’ve applied, but that only matters if the recipient cares about your digital signature remaining valid.
Put another way, there’s no such thing as a true read-only PDF if the software necessary to circumvent the other PDF security restrictions is available on the recipient’s computer and if preserving the validity of your digital signature is not considered important.
But sure, it’s very possible to distribute a PDF that’s a lot more annoying to modify than your private source format. No disagreement there.
You think a recruiter will be a forensic security researcher? Having document level digital signature is enough for 99% of use cases. Most software that a consumer would have respects the signature and prevents any modifications. Sure, you could manually edit the PDF to remove the document signature security and hope that the embedded JavaScript check doesn’t execute…
Nothing that hard. When I had a technically similar need (for non-shady purposes unrelated to recruiting) I found easy installable free GUI software for Windows that worked just fine with a simple Google search. No specialist expertise needed.
Yes, most consumer software does respect what you say. But it’s easy for a minimally motivated consumer to obtain and use software which doesn’t.
However, the context we were discussing was neither a consumer nor a forensic security researcher, but a recruiter trying to do shady things with a resume. I don't expect them to be a specialist, but I do expect them to be able either to get the kind of software I just described with a security stripping feature, or else to have access to third-party software specifically targeting the recruiter market that will do the shady things - including to digitally signed PDFs like yours - without them having to know how it works.
GP attack vector was probably recruiter editing the CV to put their company name in some place and forward it to some client. They are lazy enough to not even copy-paste the CV.
Subsequent modifications would of course invalidate any digital signature you’ve applied, but that only matters if the recipient cares about your digital signature remaining valid.
Put another way, there’s no such thing as a true read-only PDF if the software necessary to circumvent the other PDF security restrictions is available on the recipient’s computer and if preserving the validity of your digital signature is not considered important.
But sure, it’s very possible to distribute a PDF that’s a lot more annoying to modify than your private source format. No disagreement there.