I can't explain why the entire connection string is encrypted, but I can offer perspective on the scope of the task you've been assigned so you can manage the compliance group's expectations. When you say that you can see everything in the UI unencrypted, that's only mostly true. Depending on the particulars of the database credentialing, there are often encrypted passwords in Gallery Data Connections that are not visible in clear text. And of course, only a few people will have access to the Admin page of the gallery, so it's not as though every user can view them. Nevertheless, this is the easiest way to see all the connection strings for all the Gallery Data Connections.
Another recommendation for you would be to look at the files on the server that represent the System data connections set up on the server instance of Designer. You can find them in \%ProgramData%\Alteryx\Engine.
Now the disclaimer:
None of these includes every possible data connection that can be included in a workflow on gallery. There is nothing to prevent users from specifying DSN-less connection strings which would be successful as long as the server has the appropriate driver installed. Users can also encrypt workflows when uploading them, so even downloading every workflow might not allow direct access to every connection that gallery workflows might make.
And then there are also API calls...but that would be a separate topic.
Principal Support Engineer -- Knowledge Management Coach