It would be nice if one could make a ._protect_* script which enabled config protection for the one file and was called to update it. For example, if I had a /etc/._protect_make.conf, Portage would make the new file be ._cfg5435_make.conf (even if CONFIG_PROTECT did not include it) and would run "./._protect_make.conf /etc/make.conf /etc/._cfg5435_make.conf". Alternatively, it might be better to have Portage ignore ._protect_* and have etc-update just use it instead, though.
per-file protection has a bug somewhere already.