Tested with gpg 2.2.12 and 2.2.20.
There is a pubkey for recipient B@example.intevation.de in my local gpg, but it has been expired. The new or updated pubkey is available via WKD.
I want to automatically encrypt to B and use gpg --locate-key firstname.lastname@example.org
to get a good public key.
I don't get a good pubkey.
Expected result: I do get a good pubkey because one is fetched via WKD.
The default search has WKD in it, so people would expect it to work if no good key is found. There is some asymmetry when calling --locate-key that is works the first time and then later stops working. As gpg (via dirmngr) provides for the ability it makes sense to not have the using client do another command with different --auto-key-locate clear,nodefault,wkd or so to be sure. Because this would mean it would be done like this each time, thus leading to more WKD requests then if gpg just decides to only issue a request if necessary (or from time to time).
Not doing a WKD request by default would open an possible attack vector because once M manages to insert an expired pubkey into my store, the regular command does not work and thus may prevent me from sending an encrypted email to B.