We explicitely set the filter to fully_trusted, we should only be extracting tarfiles we created ourselves, or from our source storage.

The other options ('tar', 'data'; in combination with errorLevel 1) do not allow us to extract for example the cuda tarfile, which has links pointing /cvmfs/projects.cern.ch

Setting the errorLevel to 0 would currently allow us to extract the links, but that is a bug.
It also seems to be a bug that 'tar' does not let us extract the links, but maybe my interpretation of the documentation is wrong.