This section has the following description:
To maintain the security and anonymity of these credentials, if you attempt to retrieve the value of these credential variables from within the Pipeline (e.g. echo $AWS_SECRET_ACCESS_KEY), Jenkins only returns the value “***” to prevent secret information from being written to the console output and any logs. Any sensitive information in credential IDs themselves (such as usernames) are also returned as “***” in the Pipeline run’s output.
This might lead users to believe credentials masking is a miracle cure when all it does is prevent accidental exposure. This needs to be clarified to explain the limitations: Anyone able to change Jenkins or build scripts will be able to transform the credentials into a form that won't get masked.
See also https://github.com/jenkinsci/credentials-binding-plugin/blob/2a0d796a742ea089fcebfa1d8170326b420fbfe5/src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html#L51...L59