Only if you merge it in. The point is the secure environment variables are not available at all in the fork build. The bash oneliner they show is to help you run scripts which won't crash if they don't have those env vars available, not to "hide them" by running a test script which doesn't use them.
Right, but now you're in the "review of a PR didn't catch malicious code" boat. At which point, you've got bigger problems than leaking env vars in your CI.