...but currently they don't. Oops. Or rather, they don't do that properly: both special pages' __construct method calls the parent constructor with sportsteamsmanager as the 2nd argument, but this does not actually restrict access to the page and further checks should need to be done in either execute() or (preferably) executeLogo() (for consistency with existing similar checks).
To be precise, both special pages do check that the user has the basic upload user right as well as that the DB isn't locked, that the target directory is writable, etc. in executeLogo() but in terms of permissions, that's it. The thing is, most registered users on most sites will have the upload right whereas sportsteamsmanager (which grants access to its namesake special page, Special:SportsTeamsManager, which is used to add, edit and remove sports and sports teams) will likely be granted only to a handful of users. That's why this matters (in theory; in practise SportsTeams remains so site-specific that most sites are unlikely to ever even consider installing it).
On the other hand, this isn't super exploitable and a potential attacker would still need to manually set the correct id URL param to do any real damage; but then again the uploads done via these special pages aren't logged anywhere currently, which is kinda annoying and would make attacks harder to debug.