🔐 User edit permission has been split to groups edit, credentials edit and attributes edit permissions. We've also added checks to ensure that anyone trying to edit an admin's credentials or add/remove users to/from the admin group is an admin. (flarum/core#2620)
I hope I'm not being stupid but I noticed something while doing a quick test. I gave the mods group the permission to edit user attributes, everything works well and as described, mods can't make themselves admins or edit credentials. But, they can still change an admin's nickname, avatar, and all other attributes added by extensions. It's a little bit annoying since this permission is very essential for moderation so it wouldn't be a great decision to strict it for admins only.
What I'm thinking of is, perhaps, protect the admins from being edited, whether it's a credential or an attribute, you just can't edit it for admins. That way, splitting permissions wouldn't be that necessary, or maybe it would for some communities, I'm not sure. I would rather just keep it as it is and only protect admins from being edited.
You guys know more than I do so I'll just keep this here in case you consider it one day.