The issue is that just by returning SessionOptions the password is in plain view. Should you wish to make use of the information within SessionOptions for things such auditing, logfiles or pass the object to another process you have to be careful how to handle the object so not to expose the password value by other means. It's all about reducing the risk.
I'm still not sure I understand.
So what do you propose?
ok, if you logged into a website and the password field displayed the characters rather than masking them with say '****' I think this would be considered a risk. What if I wrote a script with the password written as plain text such as $password = 'Pa$$w0rd', is this considered good practice? Nope.
Why does SessionOptions expose the password as plain text? It's even worse when the SecureString was used instead and it immediately decrypts it and presents it back to you.
It should be redacted; the same as it does in the session output property where it shows you the connection string:
winscp> open "sftp://myuser:***@10.1.0.1" -hostkey ssh1234
As mentioned earlier I'm redacting the value myself as soon as a connection is made:
$sessionOptions.Password = "***"