I’ll probably just do the strictly incorrect thing only temporarily, emit warnings, and allow time for update_or_create() callsites to determine if they really need the injected fields from the save() call or not. Should eventually get correctness that way 
I agree with the following from the last time I asked for advice on this topic:
Maybe the next stop should be a new-features repo ticket to sound out what that generic solution might look like?
Finally, should we update the pseudocode in the docs for update_or_create() to stop showing save() given that it’s described here as an implementation detail?