https://github.com/jenkinsci/credentials-plugin/blob/11873056e05470405fa004adbd2967d96eeafa12/src/main/resources/com/cloudbees/plugins/credentials/ViewCredentialsAction/action.jelly#L39

it is a User, and this ends up calling static User#get(String)

This does not impact security, but the check will succeed, and the "Add domain" link will be shown to users without the necessary permission.