I believe by default any password field type is not included in API responses for security reasons, regardless of the checkbox “Private field” when editing the field.
If true, then I’d suggest that at least the “Private field” checkbox should be disabled for the password field type.