Right now environment variables are used for secrets, but in general you want secrets to be write-only or at the very least only allow read based on some IAM.

A first good step would be to add a "sensitive" checkmark when you create an environment variable so it can only be written to and it cannot ever we read by users.

This is the behaviour of github actions, terraform cloud, etc. and generally good enough for a lot of people.