The query token is nice, and in 4.7.x with QUERY conditions is much better. However there are still features missing.

The ability to do things an LDAP query is a starting point.

Only return objects with a value.
(!(givenName=*)) (find everyone missing a givenName
This is now handled by <search-condition name='not> I think if =* would work.
Show all passwords that expire after this date.

Look at the rest of LDAP style queries and support it. The search-conditions in 4.7 add on handles much of the grouping options, which is great.