As documented in Pacemaker Explained, Pacemaker can multiply start resources if a node in single-node maintenance mode is restarted, or when whole cluster is in maintenance mode or a resource is unmanaged, one node is cleanly stopped, then remaining cluster is taken out of maintenance mode or resource is managed again, then node is started again.

One possibility would be to use shutdown locks (add resources to be locked to shutdown graph op, have controller add locks to cib status, and have controller clear lock after probe instead of start).