True, but people do it anyway and a large number of applications are preconfigured to use them. But to the point, the same tool that hides the secret and encrypts the variable in 'docker inspect' will also show it as encrypted in /proc/[pid]/environ as well.