In SlingAuthenticator.logout() only the AuthenticationHandlers which are registered on paths which are roots of SlingAuthenticator.getHandlerSelectionPath() are selected.
This path should either be taken from the servlet path, or will be read from the Authenticator.LOGIN_RESOURCE request attribute if it is present.
Now, in LogoutServlet.service() the LOGIN_RESOURCE is always set to it's default value ("/") by calling AuthUtil.setLoginResourceAttribute().
As a result, dropCredentials() will only be called on authentication handlers which are registered to "/".
My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to /system/sling/logout have all registered handlers drop credentials.