From the security audit report:
Symlinks are followed by the vdirsyncer implementation even if they fall outside the target sync directory.
Due to the way that vdirsyncer perform atomic writes, it would never write to a location outside the vdir, even in the presence of a symlink. It would simply create a new file and overwrite the symlink.
The only scenario where this can potentially be exploited, is where Alice has write permissions to a vdir, but Bob runs vdirsyncer on it. In such a scenario, the Alice could potentially leak files which are only readable by Bob by uploading them to a remote storage.
The most likely course of action here will be to treat symlinks as unreadable files. There aren't any supported use cases which rely on this anyway.