I reproduced the issue and I think I know what’s going on.
Rocky Linux is doing something a little strange and is including modular RPMs in the list of normal RPMs. On top of that, they included this RLSA-2021:3666 erratum that we singled out in both BaseOS and AppStream. Your content view filtered out the c-ares RPMs from BaseOS, so the erratum didn’t make it into there. However, the erratum did make it into AppStream because the c-ares RPMs don’t exist there at all.
Katello marked the erratum as applicable because the c-ares RPM is indeed applicable, and then it marked the erratum as installable because the erratum exists in your content view version.
Essentially it boils down to the relationship between AppStream and BaseOS, plus Rocky Linux seemingly doing something unexpected.
I think there is something here to be improved, regardless of whether or not Rocky Linux is doing something weird (I’m not 100% sure). Either we consider all of a CV’s repositories when deciding if an erratum should be thrown out (katello/yum.rb at KATELLO-4.3 · Katello/katello · GitHub) or we improve the “installable errata” query to not just look at which errata are in the host’s LCE. We’d also need to check if the errata’s RPMs are all available. I’ll make an issue.
Anyway, good catch @caseybea !