Agreed. I believe this means just means that the entire contents of your ssh session is available in /tmp/framer.txt. But as long as credentials aren't part of your STDIN/STDOUT, then they shouldn't be leaked.
Your ssh private key definitely would never be in there. The server you're connecting to doesn't even know your private key, just the public one.
That's an interesting point; I think it might depend on the exact details of how stuff is getting put into that tempfile. It's possible that anything getting read in via "silent mode" (see `-s` in https://ss64.com/bash/read.html) might not get put into that file, but given that this was a bug rather than a feature, it would probably be better to check the source code (or try an example with an unpatched version) to be sure.
Your ssh private key definitely would never be in there. The server you're connecting to doesn't even know your private key, just the public one.