But that's only for flex local switching.  I think it will still be a problem for anything centrally switched?

I think the scenario which you are referring will be very low. I have very rarely come across networks where they use overlapping IP addresses even if it's in different VRF's. I think if AP's are in local mode we need to look at the design as a whole. Only solution I see is converting the AP's to Flex.

Not sure what you mean by "low". The impression I have is that when dealing with all the stuff to prevent intrusive action by unauthorized clients or duplicated address the controller flattens the VLANs but I don't know why. It would be that simple. Just imagine the same (DHCP snooping etc etc) in a switch, would you consider it normal?

Hi Alex,

You can't even configure dynamic interfaces with overlapping IP subnets in AireOS (Dynamic interface is compulsory in AireOS world), but in 9800 platforms you really don't need L3 SVI's unless there is mdns gateway or dhcp relay. So technically you can get away wth configuring the L2 VLAN which offers same subnet under 2 SSID's in 9800. The real problem happens when there are 2 clients with the same IP address. WLC will mark the client to be excluded for IP Theft. 

If AP's are in local mode there is a workaround (only in 9800 no L3 SVI's), but not recommended. You can divide the DHCP IP scopes

VLAN 10 - VRF DATA - 10.0.0.0/24 - SSID EMPLOYEE - DHCP SCOPE 10.0.0.1-10.0.0.128

VLAN 20 - VRF PERSONAL - 10.0.0.0/24 - SSID EMPLOYEE2 - DHCP SCOPE 10.0.0.129-10.0.0.254

By manipulating the DHCP scopes you are avoiding duplicate IP issue. But you have to compensate on the available IP addresses. 

Still the same theory applies, you cannot have 2 clients with same IP. You can try to manipulate your DHCP scope to stop assignment of same IP to 2 clients.