Okay, that's it! I think Design "2" is a good one. It has good security against rollback or selection attacks by malicious servers (assuming some kind of whitelisting of servers! Which is ticket #467 and is not yet implemented.) And, it doesn't go too far over the top in terms of complexity; it seems more intuitive to me than (my vague memories of) previous attempts to design add-only sets for LAFS.
A malicious adder, who controlled the a server or communications with the server could make up a fictitious history, so that one reader sees one history, and another reader sees a different history. So I don't see that this differs substantially from complete write authority. What one would like is that many people could add, but only a few people, or no people, could delete or change, in order that history cannot be rewritten, and that every reader will see the same history, rather than history being adjusted to be different for different readers. There was a proposal to do something like this to protect against man in the middle attacks by CAs. The proposal was to use append only files to construct a global map from strings to data associated with those strings, such that everyone was guaranteed to see the same map, and the same map history - though it is not clear to me that append only files are sufficient to accomplish that goal. The map would be used to relate domain names to certificates, guaranteeing that everyone, including the rightful owner of the domain, saw the same certificate. I do not recall how they proposed to implement append only files, nor the global and same for everyone map.