You can put whatever you wish in /etc/gpio.conf and enable gpio=YES in
/etc/rc.conf and it will all work correctly upon boot but the config
would be locked down. What doesn't work, without making sure
securelevel == -1, is just using gpioctl in an arbitrary manor from
multiuser. This may be mostly an annoyance for development purposes,
depending on what you are trying to do. However, I will admit to
compiling kernels with INSECURE in cases when I needed to use gpioctl in
an arbitrary way. Opinions may differ as to how this should all work.
It does make some sense that you might not want even root to be able to
change pin configurations after going to multiuser. I built a security
system that uses a bunch of RPI gpio to sense dry contacts such as a
window opening, or a trip wire breaking contact. The system is also
able to monitor something like a moisture sensor that goes from low to
high or vise versa. For that system it is advisable that even root
should not be able to change the pin configs from multiuser once they
have been set on boot.