withCredentials stores values encrypted. wrap currrently does not, but it should. (For compatibility, need to readResolve the old map.)

withCredentials also masks secrets accidentally printed to the log. It would perhaps be undesirable for wrap to do so unconditionally, since there may be legitimate reasons to see non-secret variables in build output. Discriminating between the two cases mechanically is unfortunately not possible without an API change to SimpleBuildWrapper, such as making makeSensitiveBuildVariables take Run rather than AbstractBuild, or adding a variant to Context.env.

If both issues are addressed, withCredentials could probably be deprecated (marked isAdvanced), with SecretBuildWrapper made a SimpleBuildWrapper.