Jenkins CI has a clever feature where every password it injects will be redacted if printed to stdout; `enveil run` could do that with the wrapped process?

Of course that's only a defense against accidents. Nothing prevents encoding base64 or piping to disk.