For your actual production systems you might consider systemd-creds along with the LoadCredential= and LoadCredentialEncrypted= directives which do the* right thing. Nothing is exposed and credentials are placed in non-swappable memory. You can even have your credentials encrypted at rest with your system's TPM.

* Well, one of the correct ways of doing this.