selmensh Thank you for the report, but as mentionned by ianw, if you have a security issue, please use the Security tracker, as mentionned in https://www.jenkins.io/security/reporting/
Secondly, as mentionned by kon, the documentation is clear about this part. As a user with Job/Configure, you have access to the credentials for your pipeline. We cannot differentiate a legit usage of the credentials inside a curl command and a malicious one, both are using the plain text value of the credentials, one for building something and the other to steal the credentials.
I will close this ticket as not a defect and invite you to use different approach to protect your instance/credentials. For example, you can limit the credentials per folders and then restrict access of the users to that folder.