maybe they could be encrypted, and you could say "well its everything but the
    encryption key, which is owned in physical form by the CEO."

I don't see how this is any different from most projects where keys and the like are kept in some form of secrets manager (AWS services, GHA Secrets, Hashi Vault, etc.).