Unable to use secure iparams in iparams.js

I am trying to build a simple installation page with one input for the Freshservice API key and a multidropdown that needs an API call to set up its options.
Here is my iparams.json:

{
    "api_key": {
        "display_name": "Freshservice API Key",
        "type": "text",
        "required": true,
        "secure": true
    },
    "excludeCustomFields": {
        "display_name": "Blacklist",
        "description": "...",
        "type": "multiselect",
        "options": [],
        "default_value": []
    }
}

I want the users to fill in a valid API key, refresh the page and then use the previously saved API key to fetch the dropdown options. But when I make the api_key a secure iparam, this doesn’t work:

If api_key is not secure, this works without issues. Is there any way to use a secure iparam for a Request in the installation page?

EDIT: This seems to only affect local testing, it is working fine for deployed apps.
EDIT2: It also seems that I am able to read secure iparams using client.iparams.get() in the installation page, which (as far as I understood) should not be possible anymore. I am using FDK 9.6.0.