Okay, that makes sense. And it has to be said: BPS staff put at least 2 hours into email support and troubleshooting on my site to resolve this issue. Big thanks to them for going the extra mile.
It’s alarming that code which constantly restores a copy of .htaccess can be injected into core WordPress files, and has no known malware signature, but the good news is, I found the right people to fix it.