If the privacy feature introduced in Matomo 3.5.0 is enabled and the userId is hashed with a salt, then the visitorId would still kind of leak the userId. Ideally, when the userId is set and the feature is enabled, then the userId should be salted there as well.
Actually, it should not be an issue as
manipulateRequest in privacy manager "request processor" is executed before getting the visitor Id. So we are there creating a hash on the already hashed User Id.