Well, the general idea/requirement is that when config is shown in the CLI, the output should be possible to paste back into the CLI to set that config, i.e. it can’t print **** or something like that. If you want to restrict access to some data for security reasons, the way to go is NACM rules. The sample rules that come with the ConfD installation are pretty simplistic, but basically members of the “admin” group can do “anything”, while access for other groups is more restricted - in particular regarding /aaa/authentication/users, users can only access their own entry.
So, assuming that you are using those rules, the above command is executed as user “admin” or some other member of the “admin” group - and since you can then set whatever value you want for the ‘password’ leaf, preventing it from being read doesn’t make much sense. It’s basically equivalent to the fact that if you have root privilege on Linux, you can just
cat /etc/shadow and see all the hashed passwords. If you can’t trust the users in the “admin” group, you need to restrict their privileges, and probably create a “super-user” group or the like which only has trusted users. Or just remove the untrusted users from the “admin” group.