All environment variables are displayed in the build.info, this includes passwords and usernames. I tested with 3.5.0 and 3.6.1 of the plugin with the same results.
Use our default gradle pipeline example:
This has an exclude in it that does not work. I also added a art_usr and art_psw to the environment variables and saw the same behavior.
Run the build in Jenkins and check Artifactory build.info. You will see all environment variables even with explicit excludes of these variables.
A snippet from the build info