Azurerm remote backend: statefile always downloaded


im using azurerm with remote state storage backend which stores the statefile in azure storage as reccomended.
i was under the impression the statefile stays on the remote storage but have noticed the following where terraform is run from:
terraform.tfstate → all secrets are visible in clear text

is this expected behaviour? it seems to be poor from security point of view considering the promise of using secure backend being encrpyted on disk and in transit.

iv seen this on all versions of terraform from v0.12 to latest stable and tried on latest azurerm v2.49.0 and on old version backto v2.0.0.