This bug is a regression in org.jenkinsci.plugins.workflow.cps.actions.ArgumentsActionImpl.java
I think it's important to note that with this regression security sensitive content is now getting saved out to the $JENKINS_HOME/jobs files. This isn't a transitory UI leak that goes away with the server. It is the file based content that drives both the BlueOcean and standard UI's.
Effectively, pipeline execution status is getting saved to XML job files and ArgumentsActionImpl is supposed to be doing the text masking before security sensitive content gets saved.
In 2.84 during ArgumentsActionImpl.sanitizeObjectAndRecordMutation execution, it called isStringSafe and used a white list to determine whether or not to mask secrets.
In 2.85+ this is replaced with an attempt to match a list of variables from an EnvironmentExpander to mask. If no list is given, no variables are masked. Its not clear to me at all how the vault should have provided the list of variables to mask. However, the resulting code is that there is no list of sensitive variables to block and with the white list capability removed it doesn't appear possible to mask any content so all content is now getting saved to the XML files in $JENKINS_HOME/jobs that constitute what both UI's present later.
A possible fix that worked for me is that if the list of sensitive variables is size zero, reinstate the white list filter. Here it is laid into a 2.87 version as an example: ArgumentsActionImpl.java
I initially assumed this would be a vault bug, but I just didn't see how or where to supply the list of sensitive variables to the cps plugin to pick up and use in an EnvironmentExpander plus this API changed out from underneath it so the fallback shouldn't be a complete lack of masking that which used to be masked, which is the case 2.85+