Only things processed by nix will end up in the nix store. So, only things written directly in a .nix file, or imported into nix with builtins.readFile or fetchGit or such, will be put in the nix store.
The nix store is only written to at “build time”, and never changed otherwise. That means that applications which you actually use - such as thunderbird - will not put anything in the nix store.
Another way to express this if “build time”/“run time” is confusing to you, is that if you didn’t write the secret before you run nixos-rebuild, there’s no way nix could possibly read it.
So, if I understand you correctly:
Nix will indeed not touch these secrets. You didn’t write them into a .nix file, or ask nix to read them with builtins.readFile.
The configuration does go to the nix store indeed. You wrote it directly in a .nix file.
That does not mean your user passwords are written into the nix store though. User passwords are unrelated to sudo configuration.
Not quite, no. It’s only in the nix store because you added it to a .nix file. Nix packages still behave exactly as they would on other distros. The only difference is that NixOS configures them to read some files from /nix/store, and puts whatever you define with your NixOS configuration in the nix store.
The packages themselves can still read files from anywhere else if you configure them to do so - and that’s how sops-nix works. Just write your secrets to somewhere that is not the nix store, and tell your programs to read them from there. You don’t even need sops-nix for that, sops-nix just does the writing for you so you don’t have to remember to do that if you reinstall your configuration.