Who on earth would want to query the spend secret key over wallet RPC?
https://github.com/sumoprojects/sumokoin/commit/819f7e6e0eff6e4f7f41eca32f2e9df1d9b92e03If the connection was somehow compromised and an attacker managed to see this data, all your money would be gone. Only a fool would use this feature.
The developers seem neither competent nor serious about security, which explains why the very old bug in the wallet has been left unsolved for a long time.
1. First, seed words can be retrieved via wallet RPC too, what's different from spendkey if connection is somehow compromised?
OK, it was my overlooking; I didn't know about that feature and I'm surprised now.
I apologize for making a wrong accusation.
My overall doubt anout the developers' competence and honesty still remains, though.