Problem
There are a lot of extension using the userCan hook for access control. Yet there are still parts of the core where userCan is not considered. This is true in particular for read access. For example, afaik, QueryPages do not consider read access. Quite often, this is as simple as adding a userCan hook call. I'm not proposing to make Mediawiki read access bullet proof, but to fix the most obvious read access holes.
Who would benefit
Extension developers who need to implement access control for their mediawikis
Proposed solution
We can use this list as a basis: https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions . It needs to be updated to the current state of MediaWiki. Then the open questions / issues can be addressed in the code. Ideally, at the end we have a positive list of which pages / actions consider read access.