> By default, you’re one fmt.(Sp|P)rintf("%v\n", session) away from including a user’s password hash in your logs, writing it to a file, or returning it in a server response.

nope. just use a custom String method:

    func (UserSession) String() string {
       return "hello world"
    }

or a custom type:

    type UserSession struct {
       Username string
       pwHash password
    }
    
    type password string
    
    func (password) String() string {
       return "[redact]"
    }