MetadataExposure provides an exclusion for SystemAdmins but not Community and Collection admins who are actually more likely to need access to metadata that is restricted to public view. For instance, the default metadata field for hiding is dc.description.provenance which is in the purview of Community and Collection admins at my location.
Caveat: The comments in the class state that it is important to have a very efficient mechanism and to extend the class by calling AuthorizeManager.isAdmin(context, dso) would have a much greater overhead than the current AuthorizeManager.isAdmin(context). And for OAI this recommendation is not applicable.
The hidden metadata is still available to all admins using the EditMetadata capability, yet this is a burden with the provenance field since it can be quite large.