In our test instance of Canvas I tested the following scenario.
I created an admin role with the only purpose to create users, the permissions for the role was:
I then set the new role on a test user and logged in as this user for testing and it worked as I wanted, I could create users and enrol them to courses, I could change passwords for ordinary users but not for users with a admin role.
But then I tested to merge users and found out that I could create a new user, merge the new user with a admin user. I could then log in as the new user and get the full permissions of the merged admin user.
I would consider this as a security bug, the merge should not be permitted.