The bit I missed was that the bug description does not say whether the deletion was recent i.e. within the 5 minute cache window.
It is expected behaviour that if a secret is deleted within the cache window, its entry will continue to be shown (though it will not be functional). It is indeed an idiosyncrasy in the user experience that we would rather not have, but it is unavoidable given the current polling strategy of integrating with Secrets Manager: there is no way for Jenkins to know that the secret is (soft-)deleted until it refreshes the cache and calls Secrets Manager again.
When the time comes to refresh the cache, the ListSecretsOperation dutifully filters out soft-deleted secrets. This has been tested and is known to work.