When you unblock someone via the API, you get the full user object back. This includes mPassword (hashed, so I'm not sure how much of a big deal this is), mToken, mEmail (not public info), and some other things.
On a slightly unrelated note, I'm not sure api.php?meta=userinfo should return the watchlisttoken preference... In the UI it says 'Filling in this field with a secret key will generate an RSS feed for your watchlist. Anyone who knows the key in this field will be able to read your watchlist, so choose a secure value.'
Version: 1.20.x
Severity: normal