config.yaml should persist from one update to the next, noting that plugins and OctoPrint routinely updates it.
You can't necessarily prevent a geeky user from modifying his/her
config.yaml, though, especially if they know the Pi's password. Note that a geeky user who knows the API key could likely change settings remotely from the REST API.
Unless you write a plugin to block changes in the Connection side panel, the user could in theory change this back to the raw device. I couldn't tell you if the non-Admin setting for a user in User Access control would or wouldn't affect this; you'd need to test.
Ewald was suggesting the available virtual printer.
In your case, I think I would suggest something which involves socat.