Operation not permitted from dd

I need to update the bootsector after upgrading zfs pool. In 10.3 the command to disable the Operation not permitted error was:

sysctl kern.geom.debugflags=0x10

But that doesn't seem to work in 11.0:

root@crayon2:~ # sysctl kern.geom.debugflags=0x10
kern.geom.debugflags: 16 -> 16
root@crayon2:~ # dd if=/boot/zfsboot of=/dev/ada0s1a skip=1 seek=1024
dd: /dev/ada0s1a: Operation not permitted

Has anything changed in 11.0?
As far as I know the whole procedure has two steps. First is embedding the bootcode in the partitioning scheme's metadata, then second is embedding it on a specific partition.

Fix bootcode on MBR partitions:
  gpart bootcode -b /boot/boot0 ada0

Write ZFS boot:
  dd if=/boot/zfsboot of=/tmp/zfsboot1 count=1
  gpart bootcode -b /tmp/zfsboot1 /dev/ada0s1
  sysctl kern.geom.debugflags=0x10
  dd if=/boot/zfsboot of=/dev/ada0s1a skip=1 seek=1024

In this case I am using /boot/boot0 instead of /boot/mbr to enable selecting either FreeBSD or Windows at startup. My question is only about the second step, updating the bootcode on ada0s1a.
The "s1a" at the end of of=/dev/ada0s1a looks more like a name for an UFS-slice. That can't be right.

You should check devices in your pool with zpool status and if you use labels, gpart show -p is helpful.
One time I accidentally tried to dd on a disk used by bhyve(8) and fortunately got the same message Operation not permitted.
So it could be not a bug but a feature.