I just added an audit table to a project. The db (postgresql) superuser still has all its privileges on that table. This means the data in the audit table could be edited, ergo corrupted, at any point by the superuser.
The question is, is this a theoretically/legally acceptable audit log?
Yes, absolutely. You only have to define that there is reliable auditing only for non-superusers.
There is no way in PostgreSQL to reliably protect information from the superuser. The superuser has full access to all information that PostgreSQL can read or write.
To protect your auditing system from tampering by a superuser, the component that collects and persists the auditing information would have to belong and run by an operating system user different from postgres.