Do you have any idea how to do that when users are provisioned using OIDC? Probably would not make that default, most users are fine with it. For the more sensitive users there should be an option to opt-out. When they change their name in XWiki though, it gets overridden at next login based on the OIDC claim values.
Good catch, it wasn’t working because of that. I blindly copied it from the example in the documentation and never questioned it. Fixed it in the documentation now, and profile visibility is working now.
It leaves the wiki open to a more indirect attack vector, as hitting the /bin/view/XWiki/<user_name> page for an existing user name redirects you to OIDC login, while doing the same for an non-existing username shows that the page could not be found. It therefore allows probing for the existence of usernames, which is less of a privacy issue, more a security issue (although probably not high severity to be fair).