I explored this a little more, and I think I understand what happens: the masking is applied after the conversion. Thus, since it is a string at this point, you get xxxx.
I will also submit that this is what you want. Consider:
CREATE USER stisse WITHOUT LOGIN
CREATE TABLE Orvar (d varchar(20) MASKED WITH (FUNCTION = 'default()'))
INSERT Orvar(d) VALUES('20220125')
GRANT SELECT ON Orvar TO stisse
go
EXECUTE AS USER = 'stisse'
go
SELECT d, convert(datetime, d, 23) FROM Orvar
go
REVERT
go
DROP USER stisse
DROP TABLE Orvar
This is the output:
![![212622-image.png][1]][1]
Now, imagine that masking had occurred at the source. In that case, the conversion to datetime would have failed, since xxxx cannot be converted to datetime.