We don’t consider information disclosure to administrators a problem, but yes it should be marked as sensitive to avoid showing up unnecessariliy, the same as e.g. google_oauth2_client_secret.
This is a simple fix:
There’s a tradeoff of secrecy vs. convenience; not allowing the secrets to be unmasked in the UI would only provide an illusion of inaccessibility, there’s other ways for an admin to easily read it from the database.
However, any secrets (any site setting really) can be specified via the environment, then they won’t show up in the admin UI.
(right @pmusaraj?)