You should never store unencrypted secrets, like this export file, on an unencrypted disk. Not even temporarily.
Instead, create a small encrypted drive on a pendrive or as a file with LUKS or Veracrypt, mount it, and save the file _directly_ there.
Yes, that's correct. The script takes the output from bw-cli and pipes it directly (sort of since we also store it in a variable to calculate the number of rows) to gpg which then encrypts it.
The only secret we have in plain text here is the API token for Todoist which I'm OK with. It's always the balance between security and comfort.
If your self hosting bw then there is a better way. The vault is encrypted at rest. Just back that up via borgbackup. No questionable plain text step. No reminders, just nightly incremental backup