Zeroing data does not protect from sidechannel exfiltration. You really need to mfence it also. The zeroize crate also doesn't help there, it only does protect from wrong compiler dead block elimination.