It is a follow-up to https://github.com/jenkinsci/jenkins/pull/3223 .
Cite from Devin Nusbaum:
> We might not pass secrets by default, but variables that should be secret are defined in the config files (i.e. jenkins.sysconfig.in) and then passed as regular command line variables, (i.e. jenkins.init.in). We could update the config file to recommend using paramsFromStdIn for any sensitive variables, what do you think?