If we want to enforce the invariant that --one-filesystem never touches a different filesystem, the current way we resolve symlinks is wrong. The problem is that we fully resolve symlinks, so if a symlink points at a symlink on a different FS, which points back to something on the correct FS, that's not detected at all by --one-filesystem.
To fix this, we would have to resolve symlinks one level at a time, and detect symlink loops ourselves.
If we want to enforce the invariant that --one-filesystem never touches a different filesystem, the current way we resolve symlinks is wrong. The problem is that we fully resolve symlinks, so if a symlink points at a symlink on a different FS, which points back to something on the correct FS, that's not detected at all by --one-filesystem.
To fix this, we would have to resolve symlinks one level at a time, and detect symlink loops ourselves.