You might like https://varlock.dev - it lets you use a .env.schema file with jsdoc style comments and new function call syntax to give you validation, declarative loading, and additional guardrails. This means a unified way of managing both sensitive and non-sensitive values - and a way of keeping the sensitive ones out of plaintext.

Additionally it redacts secrets from logs (one of the other main concerns mentioned in these comments) and in JS codebases, it also stops leaks in outgoing server responses.

There are plugins to pull from a variety of backends, and you can mix and match - ie use 1Pass for local dev, use your cloud provider's native solution in prod.

Currently it still injects the secrets via env vars - which in many cases is absolutely safe - but there's nothing stopping us from injecting them in other ways.