An easy solution would be to just encrypt the whole statefile.
This would work the same as state locking works now. You can apply an extra provider for state encryption/decryption just like you do for state locking/unlocking.
It's already been requested (with pull requests) for Terraform for a while now and Hashicorp keeps rejecting it, presumably because it would undermine features of Terraform enterprise.
OpenTofu is already considering implementing this feature as a result.
In Terraform’s defense, it’s often the fault of providers and/or APIs.