This is not true, ISO9660 was designed to be a read-only filesystem: it has no concept of slack space nor sectors in the traditional sense. Every file and directory entry on ISO9660 consists of a single extent (contiguous number of sectors). If your file or directory entry needs to grow beyond its current size, you must create a new copy of the entire entry and append it to the image.
The only writable filesystems that use the same allocation strategy are log-based flash filesystems, but they also have support for quickly scanning the filesystem to get the most recent snapshot state. Again, ISO9660 does not have that because it was not designed to be writable.
The point is that an ISO image is just a file, and if that file is on a USB stick, it can be accidentally overwritten or deleted, same as any other file.
And if someone really wanted to (in a black hat scenario), it would absolutely be possible to rewrite an ISO image on the fly to modify individual files.
No, once written to USB stick, ISO image is not a file anymore, it is a sequence of blocks outside of any filesystem. This means you need to use special raw disk tools (like dd) to modify it, and you can no longer operate on it using file managers, "ls", "mv", "rm" and all the related stuff.
You are correct that in black hat scenario, one could rewrite ISO image on the fly - after all, that's what I do when I upgrade my bootable USB stick to latest version.
But while ISOs are not perfect protection against malware, they are _great_ against accidental modification. On my PC, when I insert USB stick, the window pops up right away, and it takes 1 (one) mouse drag to make drive unbootable. No such problem exists with ISO images.
The only writable filesystems that use the same allocation strategy are log-based flash filesystems, but they also have support for quickly scanning the filesystem to get the most recent snapshot state. Again, ISO9660 does not have that because it was not designed to be writable.