This isn't really something I would consider a full path disclosure because:
This is absolutely a misconfiguration and something we never recommend. If you have debug mode on, an attacker can obtain much more information, including potentially secret values being inserted into the database. Further, beyond the full path, this is leaking a backtrace which may give further information.
Without debug mode on, we don't display error details/back traces to untrusted users. Note that an admin is always considered to be at least somewhat trusted. You mentioned the logs in the control panel showing the path. Even if we did, there are other ways an admin can determine the file path. We do not consider the file path to be something that needs to be hidden from an admin generally browsing, which would be distinct from passwords.
The paths being hidden is mostly out of avoiding it being overly verbose. Preventing library/ from being browsed does help prevent a full path disclosure there -- but that's a situation where we would have no control over the configuration. When XF's framework has been initialized, we can control what is displayed, so it goes back to the debug mode/trusted user elements.
If you can trigger a full path disclosure by an untrusted user in a file in the root directory, we do fix those. But I don't see a bug here as the out of the box and recommended configuration doesn't trigger anything when an error occurs.
