Yes, you absolutely right. At a minimum, App_Data needs write access. But for full admin functionality:
/app_code/extensions - to install extensions at runtime.
/styles - for custom styles
/themes - to install themes from gallery at runtime
/user controls - can be used to install custom controls, for example extensions use it to install custom admin page
/widgets - to install widgets from gallery
/web.config - it is not really modified, but used to restart IIS by changing time stamp and forcing application pool to recycle.
It is all *optional* and for locked down environment can be read only, with admin functionality limited.