Claude code is actually very good at not reading your keys these days.
Not the case for me. I tried .envs, ansible-vault and sops, and it always ends up reading the unencrypted ones for some reason, usually in debugging sessions, it finds a way to read them.
Well it reads them, but (at least for me) it reads them in a way where it filters out the actual key values.