There are two reasons for the rcd in an IT system, the first (which rather defeats the reason for an IT system) is on first fault.
In this case the system must be earthed via a high resistance, usually from a centre tap on the transformer (or via the earthy side), in this case any outgoing circuit once there is a first fault will see an unbalance. Hence trip on first fault.
That depends on the reason for the IT system - though strictly speaking the moment you apply that earthing connection (even via a resistor) then it's no longer IT.
Make it a 55-0-55 secondary and you get the benefits of a low voltage, combined with the additional protection of the earth resistance backed up by the RCD. Think school labs where students either have no grasp of the dangers, or (more likely) are "inquisitive" - ah, the things we used to get away with when I were a lad
Of course, teachers may be more clueless than the students in some cases
The second, allows the system to continue, on a first fault.
In this case, each outgoing circuit has an rcd. In the event of the first fault on say circuit 1 as long as the capacitance of the system is small enough, although there may be a leakage current, it won't be sufficient to operated the rcd.
Now in the event of a second fault providing it's on a different circuit there will be a path between the two circuits and both rcd would see this unbalance and operate, most likely both operating in similar times disconnecting both faults.
There are issues with this.
Firstly, it is possible that only one rcd operates (quick enough to trip before the other does), thus you find one of the faults - it could be the first or second.
Secondly, this would not work if the faults were on the same rcd/circuit (but of course you have mandatory OCPD for that).
Thirdly in the event of high resistance faults, perhaps on the same phase (or neutral) there is no guarantee that sufficient current will flow.
Fourthly if both circuits are unloaded and the two faults occur on the same phase (or neutral), then no current will flow between the two circuits, it is only when one of the circuits becomes loaded that it would cause sufficient current to flow in the rcds.
Fifthly - further to the last point, there can be an unusual situation where the volt drop is the same on both circuits, for example (silly number alert) say there is a first fault 1 ohm down the neutral conductor which carries 5A - the voltage at this point would be 5V (with respect to the neutral bar). Now there is a second fault on a different circuit carrying 10A, but only 0.5 ohm down the neutral, again the voltage would be 5V (with respect to the neutral bar), since both these points are at the same potential, there wouldn't actually be any current between them, and no unbalance!!
(Think wheatstone bridge)
But, none of those issues will create a safety risk. In all cases, either a device trips or there isn't a safety issue - assuming all the usual precautions like enclosures that keep fingers out and insulation that insulates.
Obviously, if someone opens up a cabinet and sticks their fingers across two line connections (arguably, you don't have L & N in a 2 wire It system, just L1 and L2) then they'll get a shock just as they would with any other supply type.
But as you point out, on a first fault, the system keeps going - which may be justification in itself.
As I mentioned in the other thread, IT systems are common in marine environments for the "keep going on first fault" feature - though I suppose another way of looking at it is avoiding the "bang and magic smoke" (along with disruption to the power system) before the OCP disconnects the circuit. But then they have (typically) automatic monitoring systems - the Bender kit can both tell you there's a fault, and tell you where it is if you install sufficient units in the right places.
But the critical thing is that there is a system or process in place to identify when that first fault occurs so it can be fixed. If it's ignored, then the system is no more resilient than if it had not been IT in the first place.
I've recently had reason to look into how the Bender EFM (Earth Fault Monitoring) systems work - it's both quite simple and quite elegant. Master unit impresses an earth fault current onto the system - think about if you replace the resistor in your first example (resistively earthed centre tap) with a signal generator. At each monitoring point (e.g. outgoing way in a switchboard) there's a detector unit connected to a CT around all the outgoing conductors (excluding CPC of course).
If there's no earth fault, all that happens is that the master unit pushes the voltage phasor diagram around relative to earth. If there's a fault, a corresponding current is detected by the CT, correlated with the impressed signal, and an alarm raised - e.g. by a signal into the SCADA.
However, it gets "more interesting" when you add a load of high power variable speed drives - adding capacitance to the system, and capable of creating high frequency rotating faults. Think about what happens if you inject (say) 440V at a few hundred (or more) Hz into filter caps designed to be across 240V at 50 Hz because one side of the DC link in a drive (with active front end) has an earth fault.