Agree, this is a privacy hole that ought to be plugged. Didn’t know about it either (then again, I never use it), not happy about it. Fortunately I had linked it to a separate IBAN, but all the same...
Besides, if the argument is fraud prevention: isn’t that easily negated by creating a disposable IBAN? :P Show after payment is something that can be OK, but without even making a payment? That makes it an easy target for scrapers as well.
Whilst we’re on the subject anyway, also be advised that people can find your IBAN if you have your phone number or email set as Alias. (Settings of the bankaccount -> Aliasses) If you value your privacy, disable that (check each account) as well.