Ref T13216. Ref T13217. Ref T6960. Although the new "%P" (password/secret) conversion can mask values, we currently convert it too early in the stack, and pass the unmasked query to the service call profiler. This means the unmasked query appears in the service call profiler, etc.
Instead, unmask slightly later in the stack so the call profiler gets the masked string.