I said "may" originally since I was not sure exactly how much power that gave a user. So I tested how it works in Moodle 3.1.
This is what I have found that an otherwise normal authenticated user role with the upload user capability set to Allow can do:
1) Delete existing users, even if moodle:user/delete is set to Prevent or Prohibit - it still allows them to delete the accounts, so clearly it does not check for this capability in the code
2) Rename usernames with the oldusername column
3) Suspend and activate users with the suspended column
4) Set any of the defaults fields in the interface in addition to the upload file
5) Create new users
6) Edit any of the possible upload file column fields for existing users, including passwords
So, basically, it pretty much gives them all the same power as a Manager would have in dealing with users. That' a lot of power in one capability. Now, you do need to add the moodle/role:assign to do the course enrolments too.
But I don't see a way to reduce that basic power over user accounts and any way to prevent deletions or account changes.