1. ./blah.sh | grep LookupKey exposes just as much information as pass -c LookupKey. If someone has access to your machine and you don't carefully prune your bash history file, then you're screwed. However, in the latter case, at least you get something at the cost of giving up security -- namely, the convenience of tab completion.

2. The only way to solve problem #1 in general is to have multi-stage authentication, where you authenticate to access to lookup keys and then authenticate again to access the passwords. That's achievable using pass and some Bash -- obfuscate file names and store a obfuscated -> actual mapping in a gpg-encrypted file, and write a bash script that does the ln -s'ing. And then the command that does that dumps you into a shell that doesn't record history.

I did this for a while but found it's a bit of PITA. Also, I can almost always come up with names that would be difficult to exploit without a lot of information about my life (bank_primary, bank_secondary; email/personal, email/business, email/spammy; server/personal, server/2011; and so on. I won't remember these verbatim, but once tab-completion reminds me of my options I typically recall which is which. And in case you're afraid in several years you'll forget which server you first purchased in 2011, you can always just pass -e server/2011 and explain which one you meant in subsequent lines.