Relevant:

"Following the recent report that Mixpanel, a popular analytics provider, had been inadvertently collecting passwords that users typed into websites, we took a deeper look. While Mixpanel characterized it as a “bug, plain and simple” — one that it had fixed — we found that:

- Mixpanel continues to grab passwords on some sites, even with the patched version of its code.

- The problem is not limited to Mixpanel; also affected are session replay scripts, which we revealed earlier to be scooping up various other types of sensitive information.

- There is no foolproof way for these third party scripts to prevent password collection, given their intended functionality. In some cases, password collection happens due to extremely subtle interactions between code from different entities."

https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-c...

I have worked in the past on a tool that recorded user sessions on websites and keystroke collection didn't end up implemented only because we were a small enough company that my strong stance against it could actually block it. It was a feature that often came up from the product team after discussions with customers, and IIRC some competitors already had it implemented back then.

Our own prototype, from before I've actively joined that particular project, tested on some live website helpfully displayed all the content of some textarea of some request form that somebody started to fill in, but afterwards decided not to include some of the details. That was a big eye-opener for me that it's absolutely not a right thing to do. We have ended up implementing a debounced indicator "some typing activity is occurring right now on this field", but we still had to deal with feature requests about content collection.

Judging from quality of some of those competing solutions, I certainly wouldn't bet that they're "intelligent enough". Maybe in 75% of the most common cases, maybe.