From the security audit report:

Symlinks are followed by the vdirsyncer implementation even if they fall outside the target sync directory.

Due to the way that vdirsyncer perform atomic writes, it would never write to a location outside the vdir, even in the presence of a symlink. It would simply create a new file and overwrite the symlink.

The only scenario where this can potentially be exploited, is where Alice has write permissions to a vdir, but Bob runs vdirsyncer on it. In such a scenario, the Alice could potentially leak files which are only readable by Bob by uploading them to a remote storage.

The most likely course of action here will be to treat symlinks as unreadable files. There aren't any supported use cases which rely on this anyway.