WebFinger requests are encrypted with TLS, so neither the headers nor payload are exposed. Further, there should be no sensitive information in the headers. While the subject of the request is present, some people preferred the subject to be a query parameter and some preferred it be a component of the URI path (as opposed to a parameter). So if there was a different approach taken, the subject would have still been a part of the URI path.
With respect to those various exposure vectors enumerated on that site about ways information is leaked, this is true of any RESTful API. What is considered potentially sensitive information is the content of the WebFinger reply, especially if that reply is from a system that requires additional authentication to access. The response contains a JSON Resource Descriptor (JRD) might contain email configuration information, for example, and is carried in the response payload.