yes, but that makes the stringor the application that allowed this particular string to be created broken, but it does not follow that any application where any one string happens to exist in a secure or non-secure version is broken.
i expect that this secure feature will be used for much less critical things that i don't want to show up in logs. usernames, urls, in fact any user data is a candidate for something that should not show up in logs.
this leads to the suggestion to rename the whole concept from "secure string" to "private string" or "hidden string". there is not much secure about secure strings, and i think secure is not a good term.
private could (at least from the terminology) clash with the current private keyword, and hidden nicely relates to the resulting feature of "hiding" the string from %O output.
greetings, martin.