Well they kind-of were, the security aspects were even mentioned in the original thesis from 2006, though the initial focus was on reproducibility, and this is only possible with a public, world-readable store. I believe containers weren’t much of a thing at that point yet, so the scenarios for service deployments were actual servers that you as an admin had control over, and in the initial development stage of linux, multi-user setups didn’t exist at all.
The current multi-user setup with the Nix Daemon and build users was already planned, but took a while to materialize, I think it only became the recommended installation method a few years ago.
Right now the focus (AFAICT) is on implementing content addressed store paths to at least allow for safe sharing of build artifacts between users.
That’s a good point.
Ideally, you’d only deploy a single access key (separately from Nix, of course) and manage the secrets in a separate service like Hashicorp Vault or Bitwarden Secrets Manager.