Command line arguments or environment variables can easily be exposed via the /proc file system.
ZBXNEXT-1550 one can create custom functions that may get sensitive data passed by item arguments as there is no additional process forked that my reveal any information.
Now I wonder whether it is feasible to improve External check and User parameter functionality to be usable for such cases too - to get sensitive data passed more securely.
The only way I currently can think of is by optionally passing data to stdin of the custom command.
I've no clue whether it should rather be configurable in a fixed format with two variables only (username and password) or a free form field supporting line breaks.
The first allows to use existing form fields. The latter provides maximum flexibility for instance to adapt a format that is already supported by a given custom command.
I know, without something like ZBXNEXT-1660 there is no real security for sensitive data in Zabbix at all but I think this could still be a worthwhile improvement.