The credentials-binding-plugin currently installs logfilters that take care of masking secrets while logging.
However this is only applied to secrets that are currently bound.

If the secret is stored into a variable and printed later it will not be masked.
(or the secret is part of an exceptions message)
It would be nice to have a way to either
a) Mask secrets that were in scope before, but are not anymore
b) Explicitly mask secrets inside a given string before passing it out of the current scope

Note: This is not meant to protect against intentional misuse but to make it easier for pipeline authors to write non-leaking pipelines.