[XorNot]

You've missed the important detail: Protected Variables in Gitlab aren't just hidden, they're not injected into builds which don't happen on Protected Branches.

What this means is that so long as I or another trusted person reviews the PR of a protected branch build, we can have high confidence the code isn't going to disclose secrets unintentionally, and that people aren't going to accidentally modify a build so it deploys outside the process.

This is great! But what I want is for it to go further - in a perfect system, I'd be able to set per-branch variables which are omitted if you're not on the right branch, and have branch protection managed by different sets of users - i.e. developers, lead developers, then testing/QA/UAT and finally production - which could just correspond to branch rules like uat/<whatever> preprod/<whatever> prod/<whatever> and allow PRs with different approvers to control the escalation process.