@ncw I'm not sure if you still plan to add this to the docs but I found some more info that might be useful if you do.
If you look back at my original post, I mentioned that you need to mount the parent directory of the target folder. This can actually be avoided. I found that the rslave bind propagation has the same benefits of rshared but without needing to pass the entire parent directory (probably because rslave propagates mounts in one direction unlike rshared which is bidirectional).
This is obviously better because we have more granularity with restricting file access to the containers. Like I mentioned in my original post, binding the parent directory could be a security issue.
Here's a more full example using the rslave method instead rshared.
services:
rclone:
image: rclone/rclone:latest
command: mount xxx:/ /data --allow-other
volumes:
- /mnt/data:/data:rshared
some_service_that_needs_the_rclone_mount:
image: some_image
volumes:
- /mnt/data:/data:rslave