> Ideally secrets never leave secure enclaves and humans at the organization can't even access them.

Right, but doesn't that mean there is no risk from sending employee laptop ENV variables, since they shouldn't have any secrets on their laptops?