That sounds like a case of "The system can't trust the Admin." I would argue that there are far more dangerous settings an Admin can change than allowing an MNet user to be an Admin.
We required this feature, so our only recourse was to expand the LDAP context to allow the user to natively log in to the various Moodle instances. This causes all sorts of duplicate user issues where we get username1(native user), username2(Mnet user), etc. where the users are actually the same.
If, for example, you use a central Mahara instance, those various users are treated as separate despite being one and the same.