Thanks for sharing the details. It looks like a valid issue and has not been resolved yet. Currently, the solution is keeping the file remains secure, but when it comes to SIEM monitoring, it will be a major concern. Any thoughts on this?
Other solutions:
1. Use Kerberos
2. Disallow password creation and altering, except via psql \password or similar methods.
3. Disable logging when you are about to attempt a password change