In order to create and modify filters with actions marked as restricted we need to grant allowance to some user groups using $wgGroupPermissions['sysop']['abusefilter-modify-restricted'] = true; in abusefilter.php@wmf-config.
I was thinking that maybe we could add it as a default grant for all WMF sysops.
This will not allow all sysops suddenly to create filters with all sorts of restricted actions, as the wiki filter needs to be explicitly configured to allow restricted actions. I mean, even if anyone has 'abusefilter-modify-restricted', if the wiki filter is not configured to have any restricted action, the permission will serve nothing.
As such, maybe we can consider adding this as default for all sysops and add exceptions to that rule (for example, a wiki which does not allow sysops to manage abusefilters but an 'abusefilter' group). Otherwise, we can keep doing as we currently do, that is, adding this in adition to configure the restricted action required.