https://dns.he.net/ does. Each record can have its own secret. You can also use this for things like A records to do dynamic DNS.

desec.io allows you to create (through the api) tightly-scoped tokens that can only update the "_acme-challenge.subdomain.example.com" domain needed for DNS-01 challenges.

I switched to them from cloudflare dns for that specific functionality and it works great.

Very good question. On e.g. AWS one could probably do something like that with a custom Lambda…? Still, would be very convenient if there was some IAM rule for that.