If I just encrypt a string with a credit card number, the old unencrypted one is still hanging around for a bit until it’s garbage collected. The encryption is written to a new copy. The same issue arises if we try to overwrite the old string when done with it, i.e. the original string becomes unreferenced and new string is created for the overwrite.
I did wonder about SecureString but this discussion seems to identify issues with it:
What is the recommended way of holding credit card details in C#?