Hi! Yeah, it’s a bit confusing, even at its clearest (which, in my mind, is probably where the config option itself is discussed):
Basically, in an ideal world, Vault with mlock'd memory is ideal. However, in the case of BoltDB, it gets very sad in that environment. (As pointed out in a previous post, BoltDB does a lot of what could be deemed odd things for the sake of speed.) Therefore, disable mlock in this specific case, and then put some other measures in place to compensate for the fact that your deployment is now vulnerable to certain attacks normally mitigated by the reference architecture.