Yeah for me the issue is not in a log leak being found.

If you send the keys to the server, there is a possibility for them to be leaked. Even if no log leak was found, there could be your proxy server, cloudflare, the users router or someone else logging it. It also means that your ssl certificate is the only protection the user has between their keys and a potential man in the middle.

I am glad that you are working to resolve this, but I am a bit sad that this has not crossed your mind when you decided to send them to the server.

This is the exact reason we have steemconnect, so that developers don't need to know every bit of security there is and can use a ready made secure framework.