1. It's easy to grab the whole environment and print it out (can be useful for debugging) or send it as part of an error report for instance.
If you have software in your deployment that will send "error reports" to untrusted third parties then you have bigger problems than your shell environment.
2. The whole environment is passed down to child processes
If you don't trust your child processes then you have bigger problems than your shell environment.
3. External developers are not necessarily aware that your environment contains secret keys.
And?
I'm not sure what you mean by "external developer" and what you expect them to do with your environment. E-Mail it out when an error occurs?
If you tolerate that kind of developer on your project then you.. oh well, see above.
If you have software in your deployment that will send "error reports" to untrusted third parties then you have bigger problems than your shell environment.
2. The whole environment is passed down to child processes
If you don't trust your child processes then you have bigger problems than your shell environment.
3. External developers are not necessarily aware that your environment contains secret keys.
And?
I'm not sure what you mean by "external developer" and what you expect them to do with your environment. E-Mail it out when an error occurs?
If you tolerate that kind of developer on your project then you.. oh well, see above.