Admins (More generally, users with undelete rights) can remove the revision deletion status of a file revision (Including if the file is suppressed), even if they don't have suppressrevision or deleterevision rights. Admins are not supposed to be able to do this.
Basically, when doing Special:Undelete, if the file version you're undeleting would be the newest version of the image (So it would be the main image associated with the file page), then the fa_deleted field is totally ignored during the undeletion process.
Steps to reproduce:
- Find some file version that's suppressed. (this works both for "deleted" suppressed files, and files that are not "deleted" but just "suppressed")
- If there is currently an image for the associated page, "delete" (that is, normal ?action=delete, not revdel) the image, so that there is no image when browsing to File:<filename>
- Special:Undelete the specific revision you want to remove suppresion from (and only that revision)
- Image should now be publicly viewable, despite the fact that admins aren't supposed to be able to view it.