Users with the `oathauth-enable` right can manage two-factor authentification on the Special:Manage_Two-factor_authentication page (for example,
https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication), but unlike other security-sensitive pages like Special:Preferences and Special:UserLogin, local scripts (Common.js, gadgets, user scripts, etc.) are allowed to run on this page.
It seems like all important actions on these pages require confirmation other than just a button click, but an attacker could try to confuse the user by altering text on the page using their script, prompting the user to perform an action they need. What bothers me even more, the attacker could intercept the code the user enters into some of the forms (I personally met a form like this at https://ru.wikipedia.org/w/index.php?title=Special:Manage_Two-factor_authentication&action=disable&module=totp&uselang=en).