Yep, encrypted environment variables (forge variables:set --encrypt example) were designed for this exact use case.
The recommendation to avoid using Forge storage for credential store is because it currently isn’t designed for it over being a general purpose key/value store. The data is encrypted at rest but there’s currently no detailed audit log, ability to rotate secrets, admin visibility of secrets/ability to revoke, setting additional encryption context, etc. I’ll update https://developer.atlassian.com/platform/forge/runtime-reference/storage-api-reference/ to call this out.
Good question, it’s only part of the problem for credential storage. In this case your app would need to take on the burden of encryption key management, for example what happens if (when) you need to rotate the encryption key?