I think the article is pretty good at summing it up.
Environment variables are global, have no access control, and leak across process boundaries. There's sometimes also trickiness with encoding newlines or binary data. It's really tricky to make sure that only the thing you want to give access to the secret has access to the secret and env vars for that reason often end up in logs.
Meanwhile files come with permissions, and handle binary data just fine. And child processes need to explicitly open the file so the chance that some unrelated child processes accidentally logs all your secrets is much smaller than that some sidecar container you run has a log statement that prints all env vars somewhere.
I've seen people misconfigure react projects (like next.js) often where they just expose all their server side secrets as env vars into their client-side javascript due to a process.env call in their build.
