AbuseFilter should work when IP masking is enabled ($wgAutoCreateTempUser['enabled'] = true).
AbuseFilter handles the EditFilterMergedContent hook. When a user is anonymous with IP masking enabled, the user passed to EditFilterMergedContent is an unsaved account (user ID = 0) with an automatically generated prospective name. I'm concerned about loading various kinds of user data using this unusual kind of User object. For example the variables user-editcount, user-emailconfirm, user-groups, user-rights, user-block and user-age. We need to confirm that these variables return something reasonable. Ideally they shouldn't do DB queries looking for rows with user_id=0.
The "block" action in this scenario is probably broken -- it will try to block a non-existent user by name. Maybe the autoblock flag could be used to block the IP address while preserving privacy. If that doesn't work, it's better to fail than to leak the IP address.
The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.
There has been some talk of adding an IP address variable for temporary users while somehow maintaining privacy. I think that's out of scope for now. The first thing is to make sure AbuseFilter doesn't throw exceptions or do anything stupid.
Adding a boolean variable that reflects User::isTemp() (or its UserIdentity equivalent) could be done at this stage and would be nice to have.