Passing plain text password over HTTPS

My login for POST is over HTTPS. Therefore, I don’t do anything to the provided password before submitting. And I don’t see an issue there unless someone is watching your browser’s developer console. (Tested the Google login. They also share the same approach.)

But I’ve received a concern asking "malicious user succeeds in session hijacking in someway will be able to access the end user credentials". Is this a valid argument? if so, how can I act?