I've known users to type passwords in the username field. you implicitly do NOT know all secrets (e.g., a password is hashed).

secrets can also churn, so even if you did your example would require something besides an in-memory array.

and, the final point: what if your secret masking code fails on an exception, too ;)