It has been observed that if a load file operation (eg cli_load_syntax_file()) loads an invalid XML file (invalid from a YANG perspective), the RPC edit-config operation forwards the invalid XML to the backend, the backend does not check the sanity of the invalid XML, resulting in errors in the datastore.
Example: openconfig-network-instance. If a file contains:

<config>
   <network-instances xmlns="http://openconfig.net/yang/network-instance">
      <network-instance>
         <name>A</name>
         ...
      </network-instance>
   </network-instances>
   <network-instances xmlns="http://openconfig.net/yang/network-instance">
      <network-instance>
         <name>B</name>
         ...
      </network-instance>
   </network-instances>
</config>

where the top-level container "network-instances" are invalid. Only a single container is allowed.
This results in an edit-config with two containers which are not discarded by the backend.
The backend needs to validate the incoming payload
For RFC reference, see RFC 7950 Section 8.3:

8.3.  NETCONF Constraint Enforcement Model
   For configuration data, there are three windows when constraints MUST
   be enforced:
   o  during parsing of RPC payloads
   o  during processing of the <edit-config> operation