To be clear: `zeroize()` is called, but only on the key and password. Which is what the docs say, so I was being unfair when I lumped that under grand claims not being met. However! The actual secrets are never zeroized. They're loaded into plain `String` / `HashMap<String, String>`.

Again, not actually a problem in practice if all you're doing is keeping yourself from storing your secrets in plain text on your disk. But if that's all you care about, there are many better options available.