I'm not sure I understand all this talk about deferring changing the default to pg13. AFAICS only a few fringe drivers are missing support; not changing in pg12 means we're going to leave *all* users, even those whose clients have support, without the additional security for 18 more months.
IIUC the vast majority of clients already support SCRAM auth. So the vast majority of PG users can take advantage of the additional security. I think the only massive-adoption exception is JDBC, and apparently they already have working patches for SCRAM.
We have more than patches this is already in the driver.