This is an excellent question and here is how UiPath mitigates it in enterprise deployments.
1. Release Cycle
Every workflow that goes into production needs a reviewer approval (the reviewer is the one who pushes the workflow via Orchestrator). Now, he should check how all the SecureStrings are used…to make sure that SecureStrings are not entered into notepad and sent via email. That’s easy using Search.
2. Source Control
You can track the developer that entered malicious code within the workflow
3. Dev/Test/Production environments
While a dev may call GetCredential within Dev environment he does not have access to production machines. The Dev has access only to TestCredentials.
You have the same problem in software development. How do you make sure that some dev is not introducing malicious code into iOS? The answer is code review, automatic or not + source control.