Currently keys from admin.system.extra_validation_keys ("external keys") are read with majority read concern to match the read used to find keys in admin.system.keys ("internal keys"). Internal keys are used to sign outgoing requests so a key that may roll back should not be read. External keys are only used to validate incoming requests, so it is safe for a rolled back key to be read. It just won't be used until eventually it is reaped.