bq: Why would anyone invoke DELETEREPLICA against a replica if they don't want it to be removed from cluster state?
It's really the opposite, something of a safety valve. It's a situation where you only want to affect the cluster state, you do not want to actually delete a replica if it's live. Particularly for cleanup when a machine has died and it's never coming back.
I'm looking at it as a paranoia flag for DELETEREPLICA that expresses "if I screwed up and called this on a live replica, ignore the command". Operationally, it's scary to turn a script loose for maintenance that may, through a programming error or whatever, delete all the nodes on my system.
One can argue that all this can be done by examining the cluster state and issuing the delete replica only for nodes that are down and not need to add a flag to DELETEREPLICA and I suppose that's true. But operations folks would like this kind of safety valve.
I'm not quite sure how this plays out in the ZK being "the one source of truth" model, when we get there it may be irrelevant. But we're not there yet, it's completely optional, and if omitted the behavior is the same as now so it's not a big change.