I had this discussion a few years ago and got some really good suggestions back from plonesec / @mauritsvanrees
One idea that was thrown out was to use Cloud Key Management | Google Cloud to manage the key for two-way encryption of keys stored in the registry, or any DX/AT field for that matter.
The simpler, but much less secure solution was to base64 all data related to the plugin into a single, obfuscated registry key, but that's certainly not going to satisfy any compliance rules.
I ended up with a vision of a plugin that creates a new 'encrypted' field for DX that can be used in DX schemas. This also provides a control panel plugin to use a cloud-based key manager so the key(s) are stored on a separate platform than plone.
If plone is compromized, the fields are useless without the key on the cloud.
If the key is compromised, it can be rotated using the cloud provider.
If the cloud provider is compromised, you could configure the plugin on the control panel to use a new one. (assuming it's using a standardized key exchange format like OAuth or JWT)
Another wise quote from the conversation: "You'll still likely use vault to deploy with some db config/secret as env variable."
Just some ideas that came from a previous brain-storming session on this.