Does the capture check on Secret prevent you from just using `_.value` as your extractor now? I'm not seeing how this approach could ever be made to work without tracking primitives, and even with that it's not clear that you can actually use this to prevent a leak. You're always going to have to serialize the secret somehow (unless the capability is entirely used as a token within your same process, and then you don't need to wrap anything and can just pass an opaque object around), so you can always get at it.