While good in theory, in practice secrets are used to validate those privileges have been assigned. Even in schemes like metadata servers, you still use a secret.

Pedantically I'd say maybe it's more fair to say they shouldn't have access to long lived secrets and should only use short lived values.

The "I" stands for Integration so it's inevitable CI needs to talk to multiple things--at the very least a git repo which most cases requires a secret to pull.