commons case: abuser opens an account, waits a few days for the account to age and abuses pages. Although there are IP based abuse filters in place they do not fire, as the user is now registered and not an anon any longer.
This might cause an IP information leak if a filter catches accounts based on a narrow enough IP range, as the hit log would associate the account with the IP range that the filter catches.
This also opens the same discussion we had in the past regarding access to non-public information. If this enhancement is added to AbuseFilter then all admins in the entire WMF wikis (Wikipedias, Wiktionaries, etc.) need to go through identification process, because there is potential for them to access private information about users. I am not sure how realistic that is.
I remember we had a closely related discussion on another Phabricator task about AbuseFilters and IPs, and @Mdennis-WMF or someone else from WMF did a query with legal and eventually stated that any such enhancements might mean we need to have sysops go through identification. I cannot find it this moment but once I do, I will link it here.
Speaking as one, the notion of identifying all Wikimedia admins is fairly unrealistic. Logistical effort aside, there are plenty who for many reasons will not share their personal information with the WMF. And there would be concerns about ageism as well, probably.
Agreed. Which is why I think this feature should not be added in a way that is available to admins. We can have a discussion about CU-only features in AbuseFilter (which is a huge programming task).