You can even go further and delete all your secrets from your env by creating wrapper scripts

Example : https://github.com/combostrap/devfiles/blob/main/dev-scripts...

It’s not completely full proof but at least gpg asks my passphrase only when I run the script