Postman allows for turning off history, keeping variables local, setting up a local vault all in the free product and in more advanced plans, there are secret scanning capabilities for IT and security teams.
These issues are not unique to Postman and apply to all cloud products like GitHub as an instance. Products that are “offline” just shift the burden to the user.
All good security measures, for sure, but the blog post you linked doesn’t mention anything about telemetry (ie request data sent to those *.gw.postman.com endpoints). As a user, it would be great to know exactly what data is sent to Postman servers (eg we send resolved query strings, we don’t send headers, etc), as well as to have an easy way to opt out of telemetry altogether.