Does this mean that if a client doesn't set the Content-Type header, and it sends some parameters in the URI query string and some parameters in the HTTP request body, then the latter are now sometimes ignored (and eventually will always be ignored)?
Yes, it does.
If so, then this is a bit worrisome, in that
safety-checks like starttimestamp=... and assertuser=1 wouldn't do their
jobs, so actions might go through that aren't supposed to.
Since the "token" parameter is required to be in the POST body, the action should fail due to that being missing if the "action" parameter is in the query string.
Is it possible for MediaWiki to detect that there was a message body but no Content-Type, and return an explicit error in that case?
It should be possible to detect a POST with no Content-Type, that's a good idea. I doubt there's much point in trying to differentiate the rare case of a POST with an empty body, particularly since the client should still be including the content type even with that.