ERPNext new Installation sysdefaults reveals username and otpsecret of all users?

Hello Community. I am relatively new to ErpNext and did a test install of version 12 (latest stable) with 2FA authentication enabled (Google Authenticator codes).

When I “view source” of desk home page in chrome (or any other doctype), I am noticing that it is showing all the enabled usernames and “otpsecret” under the sysdefaults module. It is also showing names and otpsecret of older test users that have been disabled and deleted from system.

Is this normal ? Is there an install issue? Does this present a security risk? Can one user use this info to generate the 2FA codes of another?