Not sure about this.

Would that not mean that you'd have to be careful to ensure Debug mode is disabled in production environments, for fear that session state that was supposed to be encrypted may now be stored in the debug log in plaintext - which is the same security risk you refer to.

I would suggest that item values like P1_PERSON_ID, P1_EDIT_YN might not need to be encrypted in the first place; typically, sensitive data that really requires encryption is, in practice, rarely actually needed in the debug log.

@jeffrey.kemp-1 

Obviously in a production environment, the debug mode SHOULD be disabled, but this is talking about accessing the Debug from the Builder when the app is Available with Developer Toolbar .
 

The point here is that if you are able to see session state (Session -> View Session State) why can you NOT see those values during Debug? You can only see session state when the app is Available with Developer Toolbar
The whole point of Debug is to see how values are changing during whatever processes are being run start to finish… and I don't see any reason NOT to show them when the app is Available with Developer Toolbar and Debug has been selected.

As to your suggestion of what is and is not encrypted, I know that the policy in our workplace is “Encrypt when it can be”, and we run our apps through ApexSec to make sure.

I can't imagine the issues this would cause if somehow someone accidently (or on purpose by a bad actor) turned on “Available with Developer Toolbar” either interactively or via API calls.  No matter how “well” it would be managed, there could be some combination of things that would cause failure.

A scenario I saw first-hand was an APEX page that had a region visible only for developers; I forget whether it was via a “Configuration → Build Option”, or a “Security → Authorization Scheme” setting.  One day (fortunately in development), something was amiss in the ORDS css or javascript files, and the “hidden” text was not hidden.

@mark stewart 
I suggest that if your production environment has Debug Mode set ON AND Available with Developer Toolbar set ON… whatever reason your environment got that way… THAT is your biggest problem.

If a bad actor can switch your LIVE environment to those settings, then what is to stop them setting the items to decryted?

And please explain how your "scenario" of a “development only region” which was spotted in the development environment (???) and was hiding TEXT has any relevance to this issue?

As the OP said…
The only way to see these values is to introduce a security risk by decrypting the values - and this could potentially be released through to production if you forget to re-encrypt.

This is a far more realistic problem than the one you have described.

@gussay That was an example of how, even though something was set up in APEX to prevent a region from displaying,  it was probably displayed by a misconfiguration of files in ORDS.  IE:  there could be a latent bug in doing something like this that might not be caught in testing.  Slim chance, but possible.

It's even a bit stranger than that: you can see a page item session value via the developer toolbar when you choose “Page Items”. When you select “Session State” that same value is now ***.