First stab at adding the capability of tagging sysctls for deprecation. Unsure who to tag, so I'm going with some folks generally involved in these discussions in the past, or that are generally interested in killing things... the downside to this approach is that, for instance, sysctl(8) will actually hit a node's handler anywhere from two to five times depending on what you're doing.
Instead of trying to indicate major version and taking up a couple of precious sysctl flag bits, just generically say "this is deprecated and will be removed in a future version". I would think that sysctl getting deprecated would either be generally unused or easy enough to transition away from (compared to, say, whole drivers) that "it's going to go away" and any advice offered in relnotes would be sufficient.
net.link.tap.user_open will be our first victim; this sysctl will be deprecated in favor of just letting node permissions control access as we do pretty much everywhere else.