Not sure about this one. Having public access to the web profiler in the production environment is really bad anyway. There is a ton of information that could help an attacker. So, just hiding this specific bit of information won't make it better.

A few scenarios are suggested here where a developer might want the profiler switched on in production: http://symfony.com/doc/current/book/internals.html

I'm talking specifically about someone gaining malicious access to the filesystem. Ripping database tables are somewhat ineffective at stealing user credentials, considering passwords are usually securely hashed nowadays. But the profiler database would have usernames/passwords just sitting there in plaintext.

I know there is lots of information there to aid an attacker, but so is there in most databases (IP addresses, useragents, names, email addresses etc) - but passwords are widely accepted as the one thing that should never just be stored in plaintext.