SARIF should have clearer guidance for sensitive data handling best practices

Discussion of deterministic CBOR surfaced a topic around best practice for handling sensitive data.

The technical committed discussion briefly various possible enterprise use cases that exist today (from workarounds to remediations) - is there something SARIF can include in the standard here?