Yea that is a hard problem to solve. Right now RunSecret depends on the host system (your laptop, CI runner, or application container) having access to the secret vault(s) of choice that you reference. This can be through ENV VARS, OIDC, or IAM roles (in some cases) but currently there is no HSM support.
Also be interesting to see what trufflehog finds (should be false positive)
https://github.com/trufflesecurity/trufflehog
Where are you storing the creds to get the secret from the vault?
This is the secret zero problem and other platforms solve it in other ways such as HSM