One thing we do a lot of at Puppet Labs is release product. And every time we make a major product release, I have to go through and update our training material. I validate all the exercises and examples and code snippets. And when we make UI refreshes I have to take all new screenshots. That doesn't sound like much--it's just taking some pictures, right? Well, yeah... but what am I going to take pictures of? Just firing up a master and screenshotting away isn't very interesting or informing.
If you've used Puppet for anything non-trivial, you've almost certainly used it to configure something secret. Perhaps you've configured an application with a database password. Perhaps you've configured a local maintenance user account with a private SSH key. Something that might seem obvious in retrospect is that these secrets exist in the catalog--and by extension all reports and any other tooling that uses them. Anyone with access to the catalog or raw reports also has access to your secrets. All your secrets.