I’m afraid some of this may be lost to history because it was ported from WordPress MU (before multisite was part of WordPress). The only ticket that I could find with anything close to an explanation was here: https://mu.trac.wordpress.org/ticket/336
There is a filter hook if you want to roll out custom validation: https://developer.wordpress.org/reference/hooks/wpmu_validate_user_signup/
Unfortunately, the filter hook won’t work, because it doesn’t fire until after the questionable regex check takes place.
https://developer.wordpress.org/reference/functions/wpmu_validate_user_signup/ — the regex in question is on line 479, but the filter doesn’t run until line 600, and in any event the filter says you can’t use it to change anything, it appears to be intended for error handling.
While this feels like a piece of leftover code, I just find it hard to believe that I’m the first person who ever has wondered “why can you use a period as part of a username HERE but not THERE”. And it’s a simple enough fix, but I don’t know nearly enough about all the other places that MU and usernames might interact to know if it’s safe.
My backup plan was going to be “oh, I’ll just use our SSO system’s user IDs for this” but there’s a separate check in wpmu_validate_user_signup that prevents users from having all-numeric usernames.
I strongly suspect that at least my original case (usernames with periods) works, because on my test network, a few users that were created with usernames like that, from before I switched the site to a network, exist and pass the initial sniff tests (can log in, appear to work at first glance).
Time to write some patches, I suppose.
If I’m reading the code correctly, those checks add to the $errors object (WP_Error), but the error isn’t checked until the function is called later. I believe it would be possible to remove errors via $result['errors']->remove() in a filter. But, I’m not sure how smart of an idea it would be to do that because of the same unknowns that you have.
I’m kind of interested in the history and reasons behind this too. I’m guessing some of the extra checks deal with URLs in some way. But, I’m at the limit of how I might be able to help with this at this point.
To my great disappointment, this is not only a known bug, but it’s one that’s been open for eleven years: https://core.trac.wordpress.org/ticket/17904
