Who on earth would want to query the spend secret key over wallet RPC?
https://github.com/sumoprojects/sumokoin/commit/819f7e6e0eff6e4f7f41eca32f2e9df1d9b92e03If the connection was somehow compromised and an attacker managed to see this data, all your money would be gone. Only a fool would use this feature.
The developers seem neither competent nor serious about security, which explains why the very old bug in the wallet has been left unsolved for a long time.
1. First, seed words can be retrieved via wallet RPC too, what's different from spendkey if connection is somehow compromised?
My overall doubt anout the developers' competence and honesty still remains, though.