doesn't this mean you can't do a rescan any longer if you're stuck with old version after segwit, the old version doesn't know who is really allowed to spend the output?
Nope, those using older clients will be creating legacy format transactions, and those transactions will be stored in the original block structure when mined.