Comment 8 for bug 1849624

Just so we are clear here. The keyring itself is not being passed in the call, what is being passed is the path and name of the keyring file on disk. So the credentials aren't being leaked here, just the name and path of the file that exists. You would still have to get access on the host where the keyring exists to even read it.