SD Cards, while they have a write-protect switch, are actually no good for this purpose because it’s not actually hardware write protection – at best the card reader sends a signal to the operating system that the drive should be treated as read-only. The write-protect switch on the cards is read by a sensor that’s part of the card reader, and the card reader then passes along to the operating system whether the card is read-only. According to the specification from sdcard.org
A proper, matched, switch on the socket side will indicate to the host that the card is write-protected or not. It is the responsibility of the host to protect the card. The position of the write protect switch is unknown to the internal circuitry of the card.
Basically this means that either a) cheap card readers that lack the sensor or b) operating systems or malware that don’t respect the “please don’t write to this disk” flag can write to the drive. While this may not be likely, it’s also not as secure as you might think based on the presence of that switch. (Source