Per Steve's advice, he has recommended NOT modifying the RRSD, UA,
drivers. Fair enough.

But reading the Whats New in Designer 4, under 4.02, (Designer, Help,
Whats New pops open a browser to this path:
(Your path will change))

they explain that using a GCV for a password, you need to use the ECMA call:

Instead of the more expected GCV.get('password').

Then they go on to say:

GetNamedPasswordRequest() does not find named passwords in driverset

Workaround: Ensure all password GCVs are created on the driver, not the
driver set.

So this implies you should add Named Passwords and GCV's on the driver
object, not Driver Set. Which implies modifying the UA driver...

Seems like a contradiction?

Same point for this snippet:

Expressions generated for password GCVs are not correct, also missing
warning about missing "allow-fetch-named-passwords"

Workaround 1: Ensure the expression for the password-ref GCV is in the
format of GCV.getValueForNamedPassword('password')

Workaround 2: In addition to defining the password-ref GCV, it is
required that an additional GCV has been defined in order to enable it.
(This was done as for security purposes). To do so, define a boolean GCV
named "allow-fetch-named-passwords" on the driver and set it to true.

This suggests a GCV on the UA driver.