Hi @schollii,
I must admit I was not directly involved in the research for this feature but I believe that one of the key requirements was that human-readable output should never include sensitive values. This mechanism to get at the raw values by programmatic means was intended to allow you to programmatically inspect the sensitive results in order to automatically make decisions without a human ever seeing the sensitive value.
For now I would expect that we would not add a new option for this because new options of this sort add another dimension to the matrix of possibilities we need to account for in future improvements and fixes, and sensitive value handling is a cross-cutting concern because such an option would need to be handled correctly in every separate situation where Terraform renders a value. The risk of a bug accidentally exposing a sensitive value would therefore be increased.
I understand that the result is inconvenient in your case because you have a different sense of the requirements that motivated this design: you consider your own personal terminal to be “secure enough” to display those settings, whereas CI is not. However, we have limited resources and so unfortunately we often must make design tradeoffs that prioritize one use-case over another, and this is an example of that.
As I mentioned before, my hope would be that for most situations it would be preferable to design the system so that there’s never a need for a human to directly inspect sensitive values, because the configuration is designed to give the human operator all of the information they need to make a decision. That may not be straightforward in all cases, but I expect it will be possible in most cases now that we have the nonsensitive function to allow for selectively disclosing non-sensitive values derived from sensitive ones.