I would like to know why sign_in_count and current_sign_in_at of :trackable option are blacklisted by devise, I understand that encrypted_password is blacklisted but sign_in_count.
They were added to an internal constant, BLACKLIST_FOR_SERIALIZATION, to provide more secure defaults for Devise models.
The array can be modified to remove those attributes that you need from the blacklist.
According to this answer right here. Devise has BLACKLIST_FOR_SERIALIZATION constant for this purpose. Check it in the source code: https://github.com/plataformatec/devise/blob/master/lib/devise/models/authenticatable.rb#L59
You are advised not to modify it according to this comment by one of the contributors of devise.
I don't think BLACKLIST_FOR_SERIALIZATION should be something encouraged to be modified. It's not a configuration option, but an internal constant to provide more secure defaults for Devise models.