The (somewhat misleadingly named) edituserjs/editusercss/edituserjson permissions allow a user to edit another user's personal JS/CSS/JSON files. There is little practical use for this (it might be used to help users who messed up their personal scripts but just telling them what to change would work just as well) and it's a convenient attack vector. Either it should be removed or limited so that users cannot edit the scripts/styles of a user who has more permission (e.g. an admin should not be able to edit a bureaucrat's personal scripts; a bureaucrat should not be able to edit a steward's).
(This issue has been discussed in various places, but a dedicated task did not exist.)