At Miraheze, we use the UserTextField to allow users to assign wikis to a user on CreateWiki. See https://github.com/miraheze/CreateWiki/blob/master/includes/CreateWiki/SpecialCreateWiki.php#L36
When I attempt to input a locked & hidden user, while autocomplete doesn't suggest it, it still succeeds perfectly fine if I enter it manually and submit the form.
This seems to be a info leak to me. I discussed with @AntiCompositeNumber on IRC too