Security issue? ${ssm:references} and .serverless/serverless-state.json

Following this guide:

I have a secret stored in AWS SSM in the parameter store as a secure string.

I reference this SSM secret via the ${ssm:} in my serverless.yml

I run “serverless deploy --stage dev” which completes OK

The “.serverless/serverless-state.json” now has the clear text secret residing in the clear on my local disk and every other developers laptop who has access to run this project.

Is this intended? The whole point of using a secrets store is to keep those living in one place and not scattered all over the place.