Thanks for your attention to this.
I'm definitely not a cryptography expert, but it seems to me that the actual mechanisms (MD5, SHA-256) are more important than the protocols used to negotiate them (SASL, SCRAM). When some security expert unfamiliar with PostgreSQL goes over itss documentation to determine whether it's secure, I think it's important to make sure that the word SHA-256 is actually there.