Reviewer: Does this have privacy implications?
Change1: No, Service X marks all PII before this point. Code X drops everything marked in this way.
Two years later.
Change N: Modify request structure for more optimal blah blah blah.
Now suddenly the changed request structure causes a regression in the PII detection which causes some logging of PII.
This shit is way more complex than "just stop people when they ask to log passwords".
Reviewer: Does this have privacy implications?
Change1: No, Service X marks all PII before this point. Code X drops everything marked in this way.
Two years later.
Change N: Modify request structure for more optimal blah blah blah.
Now suddenly the changed request structure causes a regression in the PII detection which causes some logging of PII.
This shit is way more complex than "just stop people when they ask to log passwords".