OK. I see your opinion, but I do not understand it.
We saw all tokens in logs on the server, so I am not sure, why it cannot be visible in form of environment variable. And also it means that SAML assertions have not only scope in the browser, but they are really existing on the server in scope of build job. Every build job exposes some bunch of temporal/local data in form of environment variable. Also SVN plugin exposes SVN credentials in this ways as well - there is variable, which contains them.
I would be very thankful, if you can elaborate why it is security issue.