This is overly general: whether or not secrets should be in diagnostic information depends on what you’re trying to diagnose. I’ve written PAM modules, for example, and logging TOTP secrets and passwords was absolutely essential for development purposes, even if I eventually deleted the relevant code for production.
