Running code from CentralAuth, AbuseFilter, TitleBlacklist etc. which collectively call half the codebase does not seem like a good thing to be doing while the main context user is half-initialised and has lots of methods which will fail horribly if you try to call them (e.g. T43198).
Perhaps initialisation of the User object from the session can be moved to a function called from Setup.php, such as RequestContext::getUser(). It's not lazy-loaded anyway, User::newFromSession() has always been called unconditionally. Then CentralAuth (and anything else that uses the UserLoadFromSession hook) can be called without User::load() in its call stack.
See Also: T60731