Imagine that I would like to call an external API that requires a secret key for the API. Where should I put this secret?
Since files in PAWS are publicly accessible, therefore, putting the secrets in files is a bad practice.
On sites that allows its users to run scripts, e.g. CI, there are usually a page that manage these secrets; and they are not stored in files.