I think single-secret files and filesystem permissions are superior between the presented options.

You don't need root to do what rootless podman does and create and work in directories that processes spawned from your normal user can't normally read using subuids. tmpfs to keep it off actual disks.