See D20249. Previously, see D20067. Currently, we render each query twice: one "masked" version (with passwords replaced with "****") and one "unmasked" version. In theory, we can improve performance here by only rendering once about 99% of the time, since very few queries have passwords/keys/session tokens / etc in them.
In practice, it's a bit tricky to figure out if the masked and unmasked versions will differ or not. This appears to be the most reasonable way to do it quickly. I set things up so that if we get it wrong we fail relatively safe (executing the masked query, which will have a syntax error and fail, instead of rendering the unmasked query).