The only usage left is session encryption.
More correctly, the only usage is as a fallback for session encryption if you don't have the openssl extension available. It's also guarded by a function_exists check.
No, there is nothing here that should prevent WMF from rolling out PHP 7.2.
The code in question is in MediaWiki\Session\Session::getEncryptionAlgorithm(), ::setSecret(), and ::getSecret(). The latter two depend on the first, and the first should never even reach the mcrypt check since openssl is loaded and has a proper cipher available:
anomie@mwmaint1002:~$ php7.2 -r 'var_dump( function_exists( "openssl_encrypt" ), in_array( "aes-256-ctr", openssl_get_cipher_methods(), true ) );' bool(true) bool(true)