After saving the Client Secret for my service principal, the secret is exposed to any other administrators within the system.

The secret should be masked to keep the value a secret (matching the functionality provided in Azure).

You should use the Settings Encryption feature that's part of SonarQube if you want to mask the value from view. See Settings Encryption in the Official Documentation for information on how to do that. Note that for step 4, you just need to copy the generated value to the configuration field.