The Config File Provider Plugin puts the configuration files into the /tmp folder.

Unfortunately, those config files are world-readable. For instance:

-rw-r--r-- 1 jenkins nogroup 1.4K May  8 22:55 /tmp/settings9023625112185063780.xml

This poses a security problem as the above file might contain injected credentials.