Connect "get-config" returns Vault token

I’m running 1.8.0 and have just configured to use Connect with Vault as the CA.
The documentation suggests that if I look up the config that the Vault token won’t be returned, however it is.

$ consul connect ca get-config 
{
        "Provider": "vault",
        "Config": {
                "Address": "https://active.vault.service.dc1.consul:8200",
                "IntermediateCertTTL": "8760h0m0s",
                "IntermediatePKIPath": "consul-ca",
                "RootPKIPath": "root-ca",
                "Token": "s.AAAAABBBBBBCCCCCCCDDD"
        },
        "State": null,
        "CreateIndex": 40061468,
        "ModifyIndex": 40063418
}

The API returns the same:

$ curl -Ss -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" -X GET http://127.0.0.1:8500/v1/connect/ca/configuration|jq -r
{
  "Provider": "vault",
  "Config": {
    "Address": "https://active.vault.service.dc1.consul:8200",
    "IntermediateCertTTL": "8760h0m0s",
    "IntermediatePKIPath": "consul-ca",
    "RootPKIPath": "root-ca",
    "Token": "s.AAAAABBBBBBCCCCCCCDDD"
  },
  "State": null,
  "ForceWithoutCrossSigning": false,
  "CreateIndex": 40061468,
  "ModifyIndex": 40063418
}

https://www.consul.io/docs/connect/ca/vault#token states “will not be exposed when reading the CA configuration”