should ble_app_rscs store bond info?

Yes, the bond info should be stored in flash. Either the IRK if the peer uses a private resolvable address, or the device address if the peer uses a static address. Note that once saved this will be stored in flash and used in all subsequent connections. So you have to delete it on both peers, if you want to see it written to flash again (the devices will bond again in this case).

Thanks, that definitely explains what I was seeing. I was maybe incorrectly thinking I could limit who I would allow connect to my peripheral by using a public static address in the peripheral's advertising whitelist (i.e. hard-code the relay's address), then once the first connection is made, use a stored key in the advertising whitelist from then on.

The use case would be a sensor and a central device, neither of which have a user interface other than perhaps a button. They would need to be paired in the field, so the installer would push a button on each side to start. The peripheral would advertise and connect only to a predetermined address. The central would only scan for a limited time after the button press.

One this install is complete, you would be able to avoid a MITM situation because keys would already be shared. Is there another way to accomplish this?

Is it possible to set the address on the central to be 'private resolvable', provide the 6-byte address and use cycle type 'auto'. Then on the peripheral side to filter on that address, both type and 6-byte value? I did a quick test and it doesn't seem to work.

You could use a static address in the whitelist for both the scanning and advertising device. In addition you could use MITM with a pre shared static passkey (this is configured in the options api).

It is possible to configure a private resolvable address as well, but the given address is ignored and the SoftDevice will generate a new private address automatically every BLE_GAP_DEFAULT_PRIVATE_ADDR_CYCLE_INTERVAL_S seconds.