First of all thanks for that article :)

Let's say that I am a black hat guy.

So, you store your variables in your environment and it means that I have to get the access to the session where the process is running.

Doesn't matter how variables got there (via K8S, exported manually, ...)

Then you say that for the better security I have to save variables in the external system but the access key still in the session of that exact process.

It adds only the one additional step to me to get your secrets. Isn't it?

Some people think that sending credentials in Base64 reduces the chance to hack the secret but truth is that you just add the additional step for the hacker which is not reducing the total comlexity.