The $mRights field in User is used to cache a user's effective rights after loading them. Once code for loading and evaluating the user rights has been moved into PermissionManager (per T218558), it should also be cached inside PermissionManager, not on the User object.
Note: PermissionManager typically only needs to load permissions for a single user, so it may be sufficient to just cache the most recently loaded set of permissions, or the most recent three or five.
Note: $mRights is public, it can't just be removed. Access to it should be emulated via the get() and set() methods. Setting this field directly is used a lot in tests, so hard deprecation is not possible right away. Also, such tests need a new way to fore user permissions. This could be done by overriding the PermissionManager service with a mock, but some kind of convenience method for this would probably be in order. Alternatively, PermissionManager could support programmatic setting of user rights when in test model, or it could be done via TestingAccessWrapper.