If debug is enabled, sensitive information will be displayed to visitors and search engines!
There is also no way to quickly see if debug is enabled, e.g. in the form list.
A suggestion to enable debugging for only one or more IP addresses has so far been ignored.
I'm currently using a combination of Javascript and PHP to hide the debug field, at least for visitors.
However, that won't do much to deter search engines. And the sensitive information is still in the source code!