The values for discourse subscriptions secret key and discourse_subscriptions_webhook_secret are not being masked out in the plugin settings, they are visible there and are also visible in the staff action logs.
This is not about client: true but about secret: true which masks the value (which can be toggled with the icon) and which removes the value from the staff action logs. This is the case for all other secrets and passwords in settings (like the secrets for Twitter, Facebook, Google oAuth2, Discord, Github, SSO client and provider etc etc)