Both options are not safe. In applications that launch an instance (approximately everything that is not PHP), it is necessary to clear them, having previously added them to memory. In PHP and other languages ​​that clear memory at the end of the script (per request) - there is no security from the word at all within the framework of this question

Is it safe to store sensitive data in environment variables?

Not! The legs from this case grow out of 12 factors. How beautiful it is to win, I'm breaking my head. A very difficult question. This sensitive data must be stored somewhere before deployment, then transferred (safely) and deleted.

After all, getting process environment variables is easy enough, and you don't even need root.

The printenv command in user space and rake out whatever you want.

Confidential data should not be stored in environment variables, but in the environment.
If you do not use external vaults, then directly on the combat server, access to which is protected from outsiders.
1. You can simply store it in a config file that is on the server.
2. It is possible, in principle, to store in the source code in encrypted form, and store the key for decryption on the combat server, but the first option is better.
3. You can also store them in environment variables, but why - they must be read on the combat server from some file, and in this case, why shouldn't the backend read them from the file directly? But here the situation is this - in order for an attacker to get environment variables, he must penetrate the server or crack your code, and in this case it is not so important how it is stored. Another thing is if outsiders can enter the server and you are poking around with access rights to profiles.