The rest of the cluster doesn't think it's the leader, but the problem is that it still accepts database connections as if it were.
If a client sees a stale value of the leader key (which is possible, either through network hiccups or etcd's normal behavior of allowing reads from followers) then it could contact the old leader and perform updates which won't be visible on the new leader.
> Those updates don't count though, since they weren't sent to the leader.
But that's exactly the problem! If you were to run this whole system under a tool like Jepsen, this would show up as "acknowledged but lost writes". It's not generally considered acceptable to connect to your database, issue an UPDATE and a COMMIT, and have everything appear to work successfully, only for the data to disappear into the aether because it got sent to the wrong replica.
> If a DB does not hold a valid key, it shouldn't accept new connections, or signal that data was committed.
Exactly, and the problem with this implementation (again, unless I'm missing something) is that it may violate this contract.
If a client sees a stale value of the leader key (which is possible, either through network hiccups or etcd's normal behavior of allowing reads from followers) then it could contact the old leader and perform updates which won't be visible on the new leader.