return from secure function to non-secure, why r4-r11 register not being cleared

Hi guys,

I found that when a secure function calls a non-secure function, before jumping to non-seucre state (either to thread or to handler), the registers r0-r12 (except for the reg passing argument) are cleared.

But in the case when non-secure callable function returns to non-secure function, only r0-r3 and r12 are cleared. So i think there is a risk of being exposed by r4-r11. So is this a threat to secure system?

And I want to know why don't the development tools clear all the registers in the second case? 

Thanks a lot !