Currently a user with bad intentions could create quite a mess with batch edits, and it is unclear how that mess could be repaired. It hasn't happened, but... should we wait?
I would restrict the Batch Edit permission to an invitation-only group where the Phabricator, Operations, and WMF-NDA members could add new members. Ideally this permission would be granted automatically based on the trust/activity accumulated by the user, to keep away new / unexperienced users, puppet accounts, etc. Today we lack these mechanisms, hence delegating the trust criteria to some trusted members.
Maybe we should reset acl*Batch-Editors and use it for this?