I don't use AWS and looking in ~/.config/gh I see two config files, no plain-text secrets.

With that said, it's not impossible some tool leaks their secrets into ~/.local, ~/.cache or ~/.config I suppose.

I thought they were referencing the common approach of adding environment variables with plaintext secrets to your shell config or as an individual file in $HOME, which been a big no-no for as long as I can remember.

I guess I'd reword it to "I'm not manually putting any cleartext secrets on disk" or something instead, if we wanted it to be 100% accurate.