If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
 but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if JENKINS_HTTPS_KEYSTORE_PASSWORD is set.