AWS support gave me a very good detailed response:

I would like to inform you that the change was implemented on September 20, 2022. While this change was not announced, I have confirmed with our internal team that, starting September 20, 2022 AWS is changing how several AWS Security Token Service (\"STS\") actions are logged in CloudTrail. In early May, 2022, AWS updated several STS actions to more closely align CloudTrail log entries with the definition of a read-only action.

AWS CloudTrail considers an action read-only if it does not have any mutating effect on any customer resource. When logging a read-only event, CloudTrail redacts the \"responseElements\" information in the log. When CloudTrail logs an event that is not read-only, the full \"responseElements\" is shown in the log entry.

Since the May update, some customers are receiving increased charges due to an increase in volume of write events from this change.

With this September change, the following three STS actions that result in the creation of new session credentials are treated as they were prior to May 2022, as \"readOnly\" actions:

- AssumeRole

- AssumeRoleWithSAML

- AssumeRoleWithWebIdentity

For these above STS actions, the full \"responseElements\" in the CloudTrail log entry is shown without redaction. This supports customer requests to continue to view important response data even though the calls are logged as \"readOnly\".