It depends on what threat you’re protecting against. Some folks want this in order to stop bad actors who have gotten into a CI system from printing secrets to the console. But if you find a way to stop them doing
echo secret then you won’t stop them doing
echo base64(secret) or
echo rot13(secret) etc. i.e. creating output that is trivially decodable.
Even if you could stop all ways in which this data could be echoed, they could just send it to a Really Evil Web Service also.
We had someone asking about this here not so long ago, and shortly after I pointed out the above, he/she deleted the entire thread. Odd!
If you are just protecting against commands where secrets have to be put into the parameters, and you know the risks above about masking, could you just use a shell script called from the YAML file?