The amount of damage "12 factor" did to the security of our applications is so big. I'm happy that we're turning around and realizing again files are the way forward for secrets.
That is very debatable.
It depends on ones assessment on the risk of passively leaking a file on a poorly cleaned up "cloud" disk is lower or higher from an actual intruder getting access to environment variable.
I think the article is pretty good at summing it up.
Environment variables are global, have no access control, and leak across process boundaries. There's sometimes also trickiness with encoding newlines or binary data. It's really tricky to make sure that only the thing you want to give access to the secret has access to the secret and env vars for that reason often end up in logs.
Meanwhile files come with permissions, and handle binary data just fine. And child processes need to explicitly open the file so the chance that some unrelated child processes accidentally logs all your secrets is much smaller than that some sidecar container you run has a log statement that prints all env vars somewhere.
I've seen people misconfigure react projects (like next.js) often where they just expose all their server side secrets as env vars into their client-side javascript due to a process.env call in their build.
