That's true of physical reality itself. Everything that happens constantly leaks information to the surrounding, spreading outward at the speed of light.

Point being, there always are side channels.

I recently had to copy a secret which was available in a CI-job to a new repository, but the system was smart enough to filter it if echoed literally.

So "echo $API_TOKEN" failed, but getting the output of the complete environment was as easy as "env | base64".

One has to question the premise of such "smartness" in the system in the first place.

I think of it as a form of politeness, basically. It's only a security feature in the sense that it's a tool you can use to make good logging hygiene a little easier for your CI system, not in the sense of helping form any kind of security boundary.

I assume (hope?) that's the intention, that nobody is advertising this as a way to prevent exfiltration of secrets.

I remember digging into this 10-15 years ago. 'shared hosting' per provider had some arbitrary resource restrictions, but you could still find out via a cron job or some such. Like `cat`ting /etc/network stuff. Basically a sieve.