User::newFromId(0) is an easy thing to do by mistake, which creates the current user's IP, and then people may leak it. Since this is dangerous we should change this behaviour, and make User::newFromId(0) be 127.0.0.1 or something and make sure people explicitly request an anon IP
Have we identified why User::newFromId(0) was used? (It sounds kind of snotty when I say it like that, that's not my intention, I just mean - is there some area of the documentation we've identified that suggests using it, or anything. I just wonder because, in all of MediaWiki, that call is used only once outside tests, and only in the installer which is pretty obscure. Even in places where an anon user is needed, the preferred way of doing it is usually new User() )
It might be worth making the user class a bit more explicit. e.g. Having two new factory methods User::newAnonFromCurrentIP() and User::newGenericAnon() (With the later being equivalent to User::newFromName( '127.0.0.2', false ); ). This would make it very clear what the methods do at a glance. It would also allow separating the use case of, I need a generic user object, so my user-generic cache isn't polluted with user specific details [A rather common case in MediaWiki], and the case of, I need an anon user object for the current requester's IP [An extremely obscure need in MediaWiki].