This is not a problem with just sql-mysql, its an issue with all database products that require a password. MySql is one of the few that covers their tracks after they start up. When sql.el starts up one of these product interpreters that require a password, it embeds the password in the command line. If the operating system, such as GNU/Linux, displays the full command line of executing processes, the vulnerability exists.
The alternative is to rely upon the operating system's authentication and authorization so that explicit credentials do not need to be passed to the command interpreter on the command line. The one other solution provided by a couple of database products allow the credentials to be sent via an I/O channel which would hide them from prying eyes, but may be more difficult to
support cross platform.
I'm open to including a warning about the potential vulnerability -- wording suggestions appreciated. Alternative solutions also welcome.