that’s true, if some attacker gets into your server, then whether the key is stored in env variable or in a service description such as supervisord or systemd, it doesn’t make much of a difference
You could use e.g. Kubernetes agent instead, if you want to have more control over it - this way, you could use Kubernetes secrets