This may fall under "reasonably foreseeable misuse" and should be covered through risk management. ISO 14971 tells us that risk should be controlled preferably by an inherently safe design. So in your example, if the device was intended to be used at a maximum depth of 3mm, the device would not be capable of going beyond 3mm. If that is not possible, the next option for risk control would be some kind of guard or alert if the device is used outside of its intended use. The example you provided of a sort of lock at 3mm would be an example of that. The third option for risk control is providing information on residual risk to the end user. This would be how you currently seem to be addressing this risk with the disclaimer you hare having your customers sign. This could also be a warning on the device labelling.
Whichever path you opt to choose will need to be justified in your risk files. The level of risk control of course should be in proportion to the risk presented by the misuse. Your post market activities should provide you with data that will tell you how effective your risk control measures are.
An example (as best as I can recall) from FDA's REdI conference a few years back is an active surgical screwdriver that is used to adjust the torque of screws in an implant. The device is designed an intended to be used to torque screws in a surgical setting. However, the manufacturer was receiving complaints of the device failing. The investigation uncovered that many surgeons were also using the handle of the screwdriver as a sort of hammer, which caused the device to not function properly because it was not designed to withstand repeated percussive forces on the handle. Because of the frequency at which the device was being used as a hammer in addition to a screwdriver, this became an reasonably foreseeable misuse and the manufacturer needed to take additional measures to prevent device failure or user harm arising from misuse/off-label use.