“Good CI systems shouldn’t support secrets, at most there should be [the most complicated secret support ever]”

Let’s just call it secret support.

I agree with your suggestion that capabilities-based APIs are better, but CI/CD needs to meet customers where they’re at currently, not where they should be. Most customers need secrets.