v12.0.8.0 - Users with add, edit, and delete can grant themselves "view password" on any object

With the default configuration for the root settings, any user with edit, add and delete can grant themselves 'view password' to any existing editable object by constructing a new sub-container.

In order (a simpler example is to just move from within a subcontainer; I was verifying that it just needed the edit/add and edit/delete):
Image 1 - Basic example first container has edit and add, second container has edit and delete
Image 2 - Create a sub-container in the first container. Grant permissions 'Everyone' (or custom view password -> everyone)
Image 3 - New container listed as everyone within the first container
Image 4 - Move credential to the 'visible' sub-container (or if permissions allow, create a shortcut)
Image 5 - Password is now visible
Final image is the data source information

I can block this behaviour by specifying the root settings and setting the Security -> Edit Security to a role or user (I'm confused why 'Never' is not an option here?). This doesn't seem ideal though; with a few thousand credential entries the intent is to allow builders to enter their own credential objects instead of burdening a few administrators or granting everyone administrator. Some of these will be visible for groups that can change the passwords, but not all credentials should be visible. Ideally creators should determine if the credential can be revealed (such as an sa account for example), and either set the credential as view password during creation or add to a container that allows view password. Unfortunately this allows access to credential passwords we do not want some users to have.

Edit:
I removed some information from the datasource: We're using windows authenticated logins and a SQLServer 2012