It seems impossible to override an included template's `only` clause

It looks like it's impossible to override an included template's only clause, as can be seen in https://gitlab.com/gitlab-org/gitlab-ee/commit/4e17371c64bda5e67dacc7eae827c3bfcd72394a.

1. The sast job is first included from the Security/SAST.gitlab-ci.yml template: https://gitlab.com/gitlab-org/gitlab-ee/commit/4e17371c64bda5e67dacc7eae827c3bfcd72394a#f85356895992fa754e53dfb5fe8c810503aea078_3_2
2. Then we want to extend it with the .default-only clauses (defined in https://gitlab.com/gitlab-org/gitlab-ee/commit/4e17371c64bda5e67dacc7eae827c3bfcd72394a#f524b8634382f96f339588eeef428dc36ca401b5_37_31): https://gitlab.com/gitlab-org/gitlab-ee/commit/4e17371c64bda5e67dacc7eae827c3bfcd72394a#f85356895992fa754e53dfb5fe8c810503aea078_17_45
3. We expect this job to run for merge_requests (as defined in .default-only) and not for branches (as defined in Security/SAST.gitlab-ci.yml), but that's not the case by looking at the commit's pipelines tab: https://gitlab.com/gitlab-org/gitlab-ee/commit/4e17371c64bda5e67dacc7eae827c3bfcd72394a/pipelines, sast was run as part of this pipeline: https://gitlab.com/gitlab-org/gitlab-ee/pipelines/79199274 instead of the "detached" pipeline: https://gitlab.com/gitlab-org/gitlab-ee/pipelines/79199229

The workaround is to copy the template's content and remove the only clause from there (as done in https://gitlab.com/gitlab-org/gitlab-ee/commit/51ff839f6f990087fecbdf45c1e8c62379689a70 for example).