As per this link I would like no one to hold abusefilter-private rights. The reason is that "The abusefilter-private right allows those who have it to see the IP address of any edit by using the AbuseFilter examine interface. The right isn't assigned to anyone ), because it is essentially an unlogged form of checkuser". I added the bolding of the text by the way. I think CU or CU style privledges should be logged somewhere and no one should have access to silent CU like that
OS is used by Stewards and we never use it as CheckUser. It find to be able to change private filters. Also that link is not releated.
abusefilter-private gives rights to view the IP of whatever user triggered that filter when viewing an abuse log entry. The intended right may have been abusefilter-view-private (provides ability to view private abuse filters) or abusefilter-log-private (provides ability to view AbuseLog entries of filters marked as private). Either way, anyone with abusefilter-modify (given to sysops) has the ability to view (and modify) all filters (including private).
As such, I've merged the PR; the right does not belong with the oversight toolset.
I would like to suggest reconsideration of the abusefilter-private right. Abusefilter now logs private data access. This must be enabled with the $wgAbuseFilterPrivateLog setting and the abusefilter-private-log right is required to view it. I suggest this config option be enabled and both rights be added to the checkuser group.
If there was a consistent issue where there was abuse being stopped by the abuse filters that needed CU information to look into, I'd do it, but there just hasn't been precedent.