In lib/db/access.php, moodle/user:delete defines risks of:

'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,

I think it should be defined as:

'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,

like all the others.

What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521