I’m not qualified to answer your question (so I won’t try to 
), but the discussion in this thread is similar, and security comes up a few times:
Environment variables is squarely where security comes in though. The all-caps comment at the top of a Redwood app’s .env file illustrates this pretty well, and you can see that DATABASE_URL there too:
# THIS FILE SHOULD NOT BE CHECKED INTO YOUR VERSION CONTROL SYSTEM
#
# ...
#
# DATABASE_URL=postgres://user:pass@postgreshost.com:5432/database_name
# BINARY_TARGET=rhel-openssl-1.0.x
But as far as Jamstack goes, databases aren’t very Jamstacky. And that’s part of the reason we’re here–to bring fullstack to the Jamstack. So the solutions you see aren’t final, and security’s something we have in mind, but don’t have in progress per-se. And there’s some areas where I’m sure we can’t actually do anything (as in, some aspects of it will be up to the technologies we’re using).
But just like we provided auth out of the box, we’re not going to make you figure out those need-to-haves yourself. 