To add to that, there aren’t really any declarative-provisioning systems out there that actually have a good solution to this. Fundamentally, secrets should not be part of your declarative configuration, because by definition they should only be where they are used.
Kubernetes usually solves it via an awkward secret service (often vendor-specific or one of many fragmented FOSS tools - like the very sops sops-nix uses), ansible has its vault which has the same exact limitations NixOS has, ditto with docker secrets, systemd credentials, etc. None of these tools can really be considered “perfect” under all use cases, and are quite complex considering how simple and fundamental the problem is.
Secrets just aren’t an easy thing to solve, and as usual lack of standardization and 40 years’ worth of legacy software is making a convenient solution impractical. See also this post a while ago from @ElvishJerricco that likens secrets more to data, which I found really insightful: Alternative way to handle secrets - #2 by ElvishJerricco