SET queries are only logged in the audit log when server_audit_events=QUERY is set, not with the more specific QUERY_* sub-modes.

So when e.g. using server_audit_events=QUERY_DCL queries that change the logging behavior, like e.g.:

SET global server_audit_logging=0;

This way a malicious user with SUPER privileges (but without file system level access to the server config files) could temporarily disable audit logging and then modify data without leaving a real trace.

IMHO queries changing the audit log configuration, so any SET operating on a server_audit_% variable, should appear in the log even if full QUERY mode is not set, or at least be included in QUERY_DCL mode.

Or, alternatively, there should be an option to outright ban any dynamic change of server_audit_% variables, e.g. something like

[mysqld]

server_audit_immutable=ON

that could be used to remove the DYNAMIC attribute from all audit plugin variables, and so to prevent runtime changes to audit log configuration.