Technically yes. It depends on whether you consider the account ID to be a secret or not (AWS say "sensitive but not secret" which doesn't help much). But also it can make sense to treat all environment variables as secrets by default just so you don't accidentally end up putting something somewhere that turns out to have been Wrong.

GP is saying that GHA would need zero information about AWS if CodeBuild used a Github token and listened for GHA runs.

That may be true, but it's not what the link describes.

Fair!

And even better can scope assuming an AWS IAM role to a specific branch name & workflow filename so only code/workflows that have been through review have access to CD secrets/prod infra.

IE no prod access by editing the workflow definition and pushing it to a branch.