There is a simple solution to this.

#1 Enable SSH to all devices and of course, disable Telnet. This takes away your ability to "sniff" the credentials during the trouble shooting process.

#2 Build encrypted access requirements into your security policy. This gives you (ideally) leverage to enforce this configuration.

#3 Test the ACLs to be sure that they are set the way they claim. If they have strong passwords and also have wrappers setup properly along with SSH access, then you can stop concerning yourself (too much).

After all, it is not efficient or reasonable to assume that your admins should be forced to have console (physical) access only. Like anything else, assess the risk and then apply the appropriate level of security.