Generally sensitive information (PCI, PII) should not be used in URIs (path segments or query params) because they could be logged by termination points or inadvertently without masking in proxy logging.

This question is not about what is "sensitive" information, but I'll offer a definition:

Sensitive data is any value that has meaning by itself, outside the context of the API (e.g. credit card and social security numbers).

Those are obvious, and there will be other values that are deemed sensitive by a specific implementation (e.g. phone number, account number).

Consider this simple use case, where the phoneNumber is classified as "sensitive and not allowed to be used in the URL:

GET /accounts?phoneNumber=8665551212  // find account by number
GET /lines/8665551212/usages          // get usages for number

One alternative that comes to mind is to use a search endpoint

POST /accounts/search { phoneNumber=8665551212 }
POST /lines/search/usages { phoneNumber=8665551212 }

What other alternatives are there to achieve the same?