I've tested this change in an onu environment.
With secflags set neither in the brand nor zone config, the init process has no security flags set:
bloody# psecflags `pgrep -n -z pkgsrc init`
1354: /sbin/init
E: none
I: none
L: none
U: aslr,forbidnullmap,noexecstack
The pre-existing zone flags still work as expected (tested default, lower and upper combinations)
bloody# zonecfg -z pkgsrc 'add security-flags; set default=aslr; end'
bloody# zoneadm -z pkgsrc boot
bloody# psecflags `pgrep -n -z pkgsrc init`
2233: /sbin/init
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
With some default security flags added to the brand config, the ones defined in the zone override:
bloody# grep security-fl /usr/lib/brand/pkgsrc/config.xml
<security-flags>aslr,forbidnullmap,noexecstack</security-flags>
bloody# psecflags `pgrep -n -z pkgsrc init`
3156: /sbin/init
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
and removing the zone-specific ones allows the brand ones to take effect:
bloody# psecflags `pgrep -n -z pkgsrc init`
4025: /sbin/init
E: aslr,forbidnullmap,noexecstack
I: aslr,forbidnullmap,noexecstack
L: none
U: aslr,forbidnullmap,noexecstack
Updated by 
Updated by