hello, currently CONTROLLED_SHUTDOWN API does not ensure the current leader sends all data to followers which in isr. it may cause data loss if the client does not use ack=all. I think semantic is a little weak. I can accept data loss if the broker crash, but we can try best to avoid data loss when the graceful shutdown.
The above conclusion is from the code source, not the actual environment.
