IMHO, this is indeed a bug, since default definition of "Authenticated user" leads to a report critical status.
This is due to capacity "tool/dataprivacy:requestdelete" with risk RISK_DATALOSS is allowed by default for this role.
How about fixing this in an analog way of MDL-50613?