We clearly have different goals. I don't like current backup, because the result is just binary file, which you can restore to same device and that's it. Only same model devices are officially supported, and I'm not sure about compatibility between different RouterOS versions. You can't even see what's inside, compare differences between two backups, nothing. This is what I really hate about it. Readable export is so much better, except for the missing parts. In most cases I currently don't use RouterOS to manage certificates and keys, so I do have them elsewhere. But sometimes it would be handy to use RouterOS to create them and still have convenient backups.
As I see it, if it's there, it should be exportable (subject to user's permissions of course). Current export is strangely selective. You can say that for example IP address is a little different from private key. But they are both important. And what about IPSec secret (pre-shared key) and IPSec key (RSA)? They are on same level and yet one is exported and the other isn't. That's very convenient example for me.
And security-wise, backup does contain keys. They don't seem to be directly readable (even in unencrypted backup), but the format must be reversible, in order to be able to import it back. Which is exactly what you can do, import it to any other device and get everything. It won't work if you somehow get random encrypted backup, but if you're admin user who can create one, no problem. Although in that case (being admin), you don't even need to bother, you can just export whatever is in running system.
But our goals don't necessarily conflict. If export could contain everything, only admin users would get sensive parts like keys. In any case, you can't let untrusted admin users in, because when default config is also current config, they can export anything. So your problem is when someone resets the router, becomes admin and can see default config. I don't hard-reset routers very often, so right now I'm not sure how it works with default configuration, i.e. if I can get equivalent of "/system reset-configuration no-defaults=yes" with reset button. If I remember correctly, factory-default config is applied on reset, but gives user the option to revert it. If this can be prevented with custom default config and if you can also set users and passwords (so nobody could get in without knowing it), you're good. Even if my wish came true and export could contain everything, nothing would change for you, because only admin users would be able to see sensitive parts of current config, and it would make sense to use same kind of filtering for default config too.