I'm bringing this up because the circleCI blogpost says that the attacker did memory-dump encryption keys from a running process. See https://circleci.com/blog/jan-4-2023-incident-report/
So even if they were using hashicorp/vault, the attacker could probably still have been able to mem-dump vault's process.