According to a code comment, the user returned by AbuseFilter::getFilterUser() is made a sysop so that "it doesn't look like an unprivileged account is blocking users". Given how precious small wiki communities are about their admin lists, as evidenced by comments on T209565, this may be the lesser of two evils.
Perhaps all users created by User::newSystemUser() could be in a special system user group, that would clear up any confusion about how it is that unprivileged users are able to make privileged actions. The new group would not need any rights assigned to it, since these users act through APIs that do not perform authorization.
In the meantime, note that it is safe to remove the sysop flag from the abusefilter-blocker user using Special:UserRights.