On the User App 3.5, the filter appears to be moved to the entity
itself.

That's okay.

I put a condition of:

Login Disabled = FALSE
or
Group Membership not equals "cn=Hidden-Users,o=BLAH"

However, this is what I'm wondering:

For a "regular" user (meaning a non-admin user account), do they need
READ rights to those two attributes for the filter to work?

It searches LDAP as the actual user that's logged into it, right?