Not really. For example if you have a construct like "blacklist *" and that wildcard is evaluated at construction time on some overlay filesystem then additional entries may sneak in later from the lower over the overlay because the wildcard expansion doesn't get updated.
On the other hand if you start with a blank slate filesystem root and only bind exactly the whitelisted paths then there is nothing to leak through.
There are other ways in which blacklist-all can fail to be equivalent to whitelisting.
On the other hand if you start with a blank slate filesystem root and only bind exactly the whitelisted paths then there is nothing to leak through.
There are other ways in which blacklist-all can fail to be equivalent to whitelisting.