Improve "Sanitize Sensitive Values" section in reference documentation

Closes gh-39094

spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc

@@ -282,19 +282,27 @@ NOTE: The `management.endpoint.<name>` prefix uniquely identifies the endpoint t
 
 [[actuator.endpoints.sanitization]]
 === Sanitize Sensitive Values
-Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be somewhat sensitive.
-All values are sanitized by default (that is replaced by `+******+`).
-Viewing original values in the unsanitized form can be configured per endpoint using the `showValues` property for that endpoint.
-This property can be configured to have the following values:
+Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be sensitive, so by default values are always fully sanitized (replaced by `+******+`).
 
-- `ALWAYS` - all values are shown in their unsanitized form to all users
-- `NEVER`  - all values are always sanitized (that is replaced by `+******+`)
-- `WHEN_AUTHORIZED` - all values are shown in their unsanitized form to authorized users
+Values can only be viewed in an unsanitized form when:
+
+- The `show-values` property has been set to something other than `NEVER`
+- No custom `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` beans apply
+
+The `show-values` property can be configured for sanitizable endpoints to one of the following values:
+
+- `NEVER`  - values are always fully sanitized (replaced by `+******+`)
+- `ALWAYS` - values are shown to all users (as long as no `SanitizingFunction` bean applies)
+- `WHEN_AUTHORIZED` - values are shown only to authorized users (as long as no `SanitizingFunction` bean applies)
 
 For HTTP endpoints, a user is considered to be authorized if they have authenticated and have the roles configured by the endpoint's roles property.
 By default, any authenticated user is authorized.
+
 For JMX endpoints, all users are always authorized.
 
+The following example allows all users with the `admin` role to view values from the `/env` endpoint in their original form.
+Unuthorized users, or users without the `admin` role, will see only sanitized values.
+
 [source,yaml,indent=0,subs="verbatim",configprops,configblocks]
 ----
 	management:
@@ -304,9 +312,7 @@ For JMX endpoints, all users are always authorized.
 	      roles: "admin"
 ----
 
-The configuration above enables the ability for all users with the `admin` role to view all values in their original form from the `/env` endpoint.
-
-NOTE: When `show-values` is set to `ALWAYS` or `WHEN_AUTHORIZED` any sanitization applied by a `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` will still be applied.
+NOTE: This example assumes that no `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` beans have been defined.