https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108894
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> --- -fstrict-flex-array= option doesn't affect the sanitization, if you want strict sanitization of bounds, you should use -fsanitize=bounds-strict rather than -fsanitize=bounds. Furthermore, it is misunderstanding on what either of those sanitizers does, they check the array index against the array domain. In the case of flexible array member, that size is unlimited, not some constant or variable (that would be just in case of a VLA). If you want sanitization against object size, there is -fsanitize=object-size for it.
