Well the XML does not contain SENSITIVE*DATA*DELETED for this user. Should it be like that? It only hides the domain logon password, if I would use that. Deleting the XML is part of the solution. However, it is still not save since you can restore the XML after deletion with the help of a couple tools.