For one of my projects my server needs a private key, and it reads this from a file descriptor on startup and then closes the fd. The fd is set up by the systemd unit, which is also configured to restrict filesystem access for the server. So the server reads a key from a file that is never visible in its mount namespace.

I do something similar with LoadCredential and it is quite amazing, especially when you want to run the application as a dynamic user.

If you keep the fd open maybe you could read refreshed secrets through it for live secret rotation.