After JENKINS-51470 it may be still reasonable to have additional level of encryption: optionally enable end-to-end encryption so that other Kafka consumers cannot sniff secrets and the content.

Interesting article: https://blog.codecentric.de/en/2016/10/transparent-end-end-security-apache-kafka-part-1/