The key thing is being able to list all possible error messages and demonstrate that none contain problematic data.

So. `throw new Exception("incorrect password")` good. throw new `Exception("problem with password : {ex.Message}")` bad.

the argument being that ex.Message might be "sql error incorrect syntax near 'otheruserspassword'" or something