Studio X developer keep password in credentials secure

How do you keep Credentials secure for Studio X developers (Citizen Devs)? Any time they download a process from Orchestrator that uses credentials they can open up the xaml files of the installed process and read in the credential name.

At that point, it is my understanding a Cit Dev can then follow the following logic:

  1. Open up the xaml containing a credential name
  2. Build a new workflow using that credential
  3. use new system.Net.NetworkCredentials(user,pass).Password to get the text version of the password
  4. Start using that password in an robot they create OR even outside of the robot.

Am I missing something that would prevent the above?
If not, how do you prevent this or can you?
We have a few people in our org that want to become citizen developers that would be building simple automations and also will be using automations the RPA DevOps team builds. The DevOps ones will be using passwords that connect to a DB. A Cit Dev can’t grab the username and passwords of the attended since they aren’t typed into a text field (used in private marked DB connection activities), but we don’t want them being able to run queries outside these few use cases in our Enterprise database either.

Any ideas would be appreciate.