> Most of the “overhead” and “security nightmare” worries assume the worst possible setup with zero curation and bad ops.

You'll be surprised to learn that these are extremely common, even in large corporations. Security practice is often far from ideal due to both incompetence and negligence. Just this week, I accidentally got the credentials for the account used in our CI systems. Don't ask me how this could possibly happen.