This is an excellent question and here is how UiPath mitigates it in enterprise deployments.
-
Release Cycle
Every workflow that goes into production needs a reviewer approval (the reviewer is the one who pushes the workflow via Orchestrator). Now, he needs to check how all the SecureStrings are used So he needs to make sure that SecureStrings are not entered into notepad and sent via email. -
Source Control
You can get to the developer that entered malicious code within the workflow -
Dev/Test/Production environments
While a dev may call GetCredential within Dev environment he does not have access to production machines. The developer has access only to TestCredentials.
Somehow you have the same problem in software development. How do you make sure that sensitive data is protected?