XORing the plaintext with str_repeat($secretkey) is worse than encrypting in ECB mode.
There is no salvaging this "encryption" code. rm it, it's not secure.
JCryptCipherSimple is already deprecated and will be removed with 4.0.
Due to B/C it is still shiped but it's recommended to use one of the more secure alternatives.
Use random_bytes() backfill in JCrypt::genRandomBytes (Fix #8327)
That's good, but I would seriously consider throwing an E_NOTICE or E_WARNING whenever it's used as of 3.5.0.
We aren't going to place potentially publicly visible notices on people's sites. The deprecation is the best we can do until Joomla 4 (potentially we can shove something in the log files but the reality is that very very few people ever check that file). There are no active use cases of this class in core. So I think we're pretty much doing the best we can at this stage. Our Joomla 4 deprecations branch already has this class (and all use cases removed as well https://github.com/joomla-projects/joomla-pythagoras/tree/feature/deprecations)