The secrets placeholder design is the right trade-off for this use case. You're essentially accepting that malicious code can still use your API keys for their intended purpose - the goal is preventing permanent exfiltration.

The interesting attack surface that emerges: any endpoint on your approved hosts that reflects input back in responses. Error messages, search pages, create-then-read flows. The thread already covers this, but practically speaking, most API providers have learned to sanitize these paths after years of debugging sensitive token leaks in logs.

For anyone evaluating this vs. rolling your own: the hard part isn't the proxy implementation, it's maintaining the allow-list as your agent's capabilities grow and making sure your secret substitution rules are tight enough to catch edge cases.