The FileImporter extension provides a Special:ImportFile and allows to set the needed rights for the special page with config FileImporterRequiredRight
Setting $wgFileImporterRequiredRight = 'editinterface'; in LocalSettings.php does not shows a permission error on the special page when logged in as non-sysop.
Without $wgFileImporterShowInputScreen = true; is does not give a input form, but it handles actions given by request params.
The function SpecialPage::userCanExecute is not executed on the special page. The SpecialPage::__constructor mention to call it itself when override execute, which is not happen here.
The permission is only taken into account on Special:SpecialPages and the page is not listed there.
It needs a call to SpecialPage::checkPermissions to handle the user right from the option.
I have not tested if one of the action of that special page could be executed without the necessary rights, I have only seen that the permission error is missing when first open the page.
The special page correctly checks if the upload is enabled on the wiki and the default permission is upload. In the default config there is no security issue, because UploadBase::isAllowed already checks for the upload right. Only when using customized the needed rights it is executed.
Maybe there is no need for such a option and the option needs to be removed without further mention of the security issue.
wmf wikis does not change or use the config.