On the other hand, the existence of both a secure and a non-secure string with the same contents is clear evidence that the security model has been broken.
Shouldn't the correct response to this evidence be to alert someone, by throwing an error or printing a stern warning?
It doesn't matter much why the model is broken. It may be because the random seed turned out not to be so random. Or because the secret key was stored in a non-secure string first. Or because the user choose a password that is far too easy to guess (by a computer if not a human).
It seems that just silently ensuring that the contents is not swapped today is rarely enough to solve the problem. Or perhaps the secure strings will be used for purposes where the do-not-swap feature is not that important?