"be vigilant" seems to be the mind set, but I can't help but feel a system that protects from accidentally logging secrets is what is needed. Due to the varied way people log and what they log and when, it is likely unsolvable in the general sense.
We have structured logs (serialized objects as json that auto-get default fields like app name, timestamp, and such). These structures can have fields tagged as sensitive, and those values are redacted. This is still human error prone.
> …a system that protects from accidentally logging secrets…
That ecosystem exists. There are SW tools, both on-prem and (less interestingly) cloud/SaaS, that sit in the middle and look for personal and sensitive data. You plug into their API, and then get to decide what to do when such information is detected: ignore, quarantine, redact, alert…
We have structured logs (serialized objects as json that auto-get default fields like app name, timestamp, and such). These structures can have fields tagged as sensitive, and those values are redacted. This is still human error prone.