Maintaining integrity of logs when using Loki and Alloy

When having a Loki instance which is ingesting logs from various containers, VM’s, etc. how does one protect the integrity of the logs by for example enforcing app-a can never send a log entry with a label of application=app-b to Loki?

For example to maintain integrity of the logs in Loki of app-b if the container or VM of app-a gets compromised (for example by a hack of the application running in it).

The only thing I can think of is to put Alloy in front of Loki and create a separate listener for each application (and use cloud firewall rules to ensure only specific containers and VM’s can access this port) and force the labels to be correct.

I’m also curious to know if this is this something which people consider? Or is this usually deemed out-of-scope and are all Loki “clients” considered “trusted”?

IMHO authentication + you use authN info in the label.
For example you will use mutual TLS, so each app will have own client certificate with Subject name = app-a. Then infra in front of Loki, e.g. OTEL collector (I don’t comment Alloy options) will enforce mutual TLS authentication and it will use Subject name from the client certificate to define/overwrite application label value - app can send any value there (e.g. app-b), but collector will overwrite it to app-a anyway - because that will be value used in the authN.