Even if user don't have the capability  moodle/course:viewsuspendedusers they can manualy enrol them in course.

Steps :

0 - put forbidden to all roles for moodle/course:viewsuspendedusers
1 - Create a student and suspend him
2 - Create a teacher
3 - Create course
4 - Go to /enrol/manual/manage.php?enrolid=XXX page and see that you can add the suspended student
4 bis : Go to /user/index.php?id=YYY page and see that you can add the suspended student

Solution for step 4 :
Alter code to check for capability and exclude suspended users in file enrol/manual/manage.php  :

// Create the user selector objects.

$options = array('enrolid' => $enrolid, 'accesscontext' => $context);

$exclude=null;

if(!has_capability('moodle/course:viewsuspendedusers', $context)){

    $exclude = $DB->get_fieldset_select('user', 'id', 'suspended=1');

}

//$potentialuserselector = new enrol_manual_potential_participant('addselect', $options);

$potentialuserselector = new enrol_manual_potential_participant('addselect', array_merge($options, array('exclude' => $exclude)));

I don't know if it should also be applied to the enrol_manual_current_participant or not (I think it's less problematic for a teacher to remove a suspended user than to add them in courses)

Haven't got time to look how to correct 4 bis for the moment

From a rapid look, it seems to affect all versions.